CVE-2021–35036: Super-Admin Password Leak Affecting Zyxel CPE/ONT/LTE Fleet

Executive Summary

Monx Research

~5 min read · May 22, 2026 (Updated: May 22, 2026) · Free: Yes

Executive Summary

The issue was first reported against Zyxel VMG3625-T50B firmware V5.50(ABTL.0)b2k and later expanded into a broader product-line problem: authenticated low-privilege sessions could reach backend DAL endpoints that returned administrator, supervisor, FTPS, and TR-069 secrets in cleartext. The exposed code belongs to a shared management framework, which matches the later vendor-side scope expansion across DSL, fiber, 4G, and 5G CPE product families.

Original Finding

A user-privileged account could browse directly to:

GET /cgi-bin/DAL?oid=login_privilege
GET /cgi-bin/DAL?oid=tr69

Intercept evidence captured during disclosure.

and obtain cleartext values for local accounts and TR-069 credentials. Disclosure material also shows a related /getDefaultInformation response leaking default passwords for root, supervisor, admin, admin1, and ftps.

The issue was not just that secrets existed in storage. An authenticated low-privilege session could retrieve them through ordinary web-facing DAL handlers.

Affected Product Scope

Zyxel first assigned the CVE for VMG3625-T50B, but its later public advisory broadened affected scope across multiple product families:

DSL / Ethernet CPE: VMG3625-T50B, VMG3927-T50K, VMG8623-T50B, VMG8825-T50K, EMG3525-T50B, EMG5523-T50B, EMG5723-T50K, DX3301-T0, DX5401-B0, EX5401-B0, EX5501-B0

Fiber ONT: AX7501-B series, EP240P, PMG5617GA, PMG5622GA, PMG5317-T20B, PMG5617-T20B2, PM7300-T0

4G / 5G CPE: LTE3301-PLUS, LTE5388 family, LTE7480 family, LTE7490-M804, NR5101, NR7101, NR7102

That scope matters because the exposed code belongs to shared libzcfg_fe_dal management code, not a one-off UI template.

Root Cause Analysis

Four code-level details explain why the leak existed and why incremental patching took multiple attempts.

login_privilege GET returned raw passwords. In the firmware source, zcfgFeDal_LoginPrivilege_Get iterates through RDM_OID_ZY_LOG_CFG_GP_ACCOUNT and copies each account's Password field directly into the outgoing JSON array:

json_object_object_add(paramJobj, "Username",
  JSON_OBJ_COPY(json_object_object_get(loginPrivilegeObj, "Username")));
json_object_object_add(paramJobj, "Password",
  JSON_OBJ_COPY(json_object_object_get(loginPrivilegeObj, "Password")));

The DAL command registration exposes login_privilege as edit|get with an empty privilege string, even though the inline comment says root_only.

2. TR-069 GET copied the whole management object. The TR-069 DAL getter uses a generic copy path across the management parameter list, including Password and ConnectionRequestPassword, unless another layer explicitly strips them:

else {
  json_object_object_add(pramJobj, paraName,
    JSON_OBJ_COPY(json_object_object_get(mgmtJobj, paraName)));
}

3. Cosmetic hiding arrived after the backend exposure. Later patches show Zyxel masking values in display code by printing asterisks for ACS and SIP passwords. That is a UI / CLI presentation fix, not a backend access-control fix.

4. Subsequent metadata fixes confirm the sensitivity. Other later patches add PARAMETER_ATTR_PASSWORD to fields like Password, ConnectionRequestPassword, DefaultPassword, and PasswordHash. That change acknowledges these values should not have been returned verbatim in getter flows.

Exploit Mechanics

An attacker with any valid low-privilege account on the device web interface could exploit this vulnerability in a straightforward sequence. First, authenticate to the web interface with a guest or limited account to obtain a valid session cookie. Second, issue a direct HTTP GET request to the DAL endpoint: GET /cgi-bin/DAL?oid=login_privilege. The device responds with a JSON object containing plaintext credentials for the administrator, supervisor, and other privileged accounts. Third, optionally query GET /cgi-bin/DAL?oid=tr69 to retrieve TR-069 ACS username and password, and /getDefaultInformation to capture FTPS and default system account secrets. The entire exploit chain requires no memory corruption, no shellcode, and no exploit reliability tuning. It is a pure logic flaw in access-control policy.

Impact Assessment

The severity of this vulnerability extends well beyond a simple information-disclosure rating. Obtaining the super-admin password on a CPE or ONT device grants full administrative control over the subscriber's network gateway. An attacker can reconfigure DNS to redirect traffic, intercept unencrypted communications, modify firewall rules,and could expose remote-management credentials depending on deployment. In ISP-managed environments where TR-069 is active, leaked ACS credentials may increase risk to management channels, though actual impact would depend on the specific deployment and access controls in place.

Timeline

The vulnerability was originally discovered and reported to Zyxel through coordinated disclosure. Zyxel acknowledged the issue and released patches across the affected product families in stages. The initial advisory covered the VMG3625-T50B as the primary affected model. Subsequent investigation and vendor confirmation expanded the scope to include the full DSL, Fiber ONT, 4G, and 5G CPE product lines listed above. The CVE was assigned as CVE-2021-35036 with a CVSS score reflecting the authenticated-access prerequisite combined with the critical impact of full credential disclosure.

Mitigation and Recommendations

For end users and network administrators, the immediate mitigation is to apply the firmware updates released by Zyxel for each affected product. Where firmware updates cannot be applied immediately, restricting access to the device web management interface to trusted hosts only reduces exposure. Disabling remote management access from the WAN side is a critical interim step. ISPs managing large CPE fleets should audit TR-069 session logs for anomalous credential use and rotate ACS passwords as a precautionary measure. Long-term, the vendor's addition of PARAMETER_ATTR_PASSWORD attribute enforcement represents the correct architectural fix, ensuring sensitive fields are never returned in API getter responses regardless of the caller's privilege level.

Conclusion

CVE-2021-35036 illustrates a recurring pattern in embedded device firmware: access-control policies enforced only at the UI layer, with backend data retrieval endpoints left unguarded. The shared libzcfg_fe_dal codebase propagated this flaw across an entire product generation, turning a single logic error into a fleet-wide vulnerability. The remediation history, moving from cosmetic asterisk-masking to proper PARAMETER_ATTR_PASSWORD enforcement, reflects how firmware vendors often underestimate the backend exposure surface initially and require iterative patches to address root causes. Network operators and security researchers auditing similar devices should treat any DAL or configuration API endpoint as a high-value target warranting explicit access-control review.