Zyxel low-priv account leaked super-admin, FTPS, and TR-069 secrets across router fleets

This is the longer technical writeup behind CVE-2021-35036. The short CVE summary makes it sound like simple cleartext storage, but the useful part is the access path. A low-privileged Zyxel router session could query DAL handlers like login_privilege and tr69 and receive password-bearing backend objects in the response. That included higher-privilege local account data, FTPS credentials, and TR-069 management secrets. Zyxel’s advisory later expanded the scope from the original VMG3625-T50B report into broader CPE, ONT, LTE, and 5G product lines. I also included the password-generation side: QEMU runtime, LD_PRELOAD serial hook, getpassword analysis, and the Method2 / Method3 supervisor password logic. submitted by /u/TheReedemer69 [link] [comments]Technical Information Security Content & DiscussionRead More