When doing some research (rooting) on my Zyxel USG40, I was surprised to find a user account 'zyfwp' with a password hash in the latest firmware version (4.60 patch 0). The plaintext password was visible in one of the binaries on the system. I was even more surprised that this account seemed to work on both the SSH and web interface.$ ssh firstname.lastname@example.org Password: Pr*******Xp Router> show users current No: 1 Name: zyfwp Type: admin (...) Router>
The user is not visible in the interface and its password cannot be changed. I checked the previous firmware version (4.39) and although the user was present, it did not have a password. It seemed the vulnerability had been introduced in the latest firmware version. Even though older versions do not have this vulnerability, they do have others (such as this buffer overflow) so you should still update.