The Zyxel firmware for the GS1900 switches, at least version 2.40(AAHH.2)C0, contains a hardcoded parameters which are used for AES256-CBC encryption an decryption of passwords. These parameters (IV, salt and password) are fixed for all devices running the firmware.
salt = "1A3BB2F78D6EC7D8"; iv = "2268BA68768B58C3687D4F205923A741"; key_data = "EC14D4F5BC6B9A3766D31EF9A1BB854121FB938B606462C70B2D0E26549C486A";
Based on the code in
libsal.so (responsible the encryption and decryption in the
firmware) I hacked up a quick tool to demonstrate how these hardcoded parameters
can be used to decrypt passwords, e.g. in combination with CVE-2019-15799.
The hardcoded credentials in the firmware (CVE-2019-15801) were also encrypted with this key.