A significant security flaw has been identified in Zyxel’s ATP and USG series firewalls, potentially allowing attackers to bypass authorization mechanisms and access sensitive system configurations. This vulnerability, designated as CVE-2025-9133, affects devices operating on firmware versions up to V5.40. It was publicly disclosed on October 21, 2025, following a coordinated vulnerability disclosure process.
Understanding the Vulnerability
The core of this vulnerability lies in the authentication verification phase of the affected devices. Specifically, it targets the `zysh-cgi` binary, which is responsible for handling communication with the ZLD system for configuration queries and modifications. The flaw enables threat actors to inject malicious commands into authentication requests during the two-factor authentication (2FA) verification stage. This manipulation effectively bypasses security controls that would typically restrict access to critical system files.
Technical Details
When users with 2FA enabled log into the device’s web portal, they are prompted to enter a one-time PIN received via email or an authenticator app. During this intermediate authentication state, the system sends semi-authenticated requests to the backend `zysh-cgi` binary. These requests usually include benign commands like show version or show users current, which are whitelisted for partial authentication states.
However, the vulnerability arises from inadequate command filtering in the web interface. Attackers can manipulate these requests to inject unauthorized commands by appending them with a semicolon. For instance, by sending a command like show version;show running-config, the system’s prefix-based validation checks only the start of the string against the allowlist. If it matches, the entire command chain is forwarded to the device’s command-line interface (CLI) parser, executing the hidden payload without further scrutiny.
This flaw allows attackers to view and download the system configuration from the target device, potentially exposing credentials, encryption keys, and network settings to remote exploitation. The vulnerability is particularly concerning because it persists even with 2FA active, undermining the additional security layer that 2FA is supposed to provide.
Impacted Devices and Firmware Versions
The vulnerability affects the following Zyxel firewall series and firmware versions:
– ATP Series: Firmware versions from V4.32 through V5.40
– USG FLEX Series: Firmware versions from V4.50 through V5.40
– USG FLEX 50(W) / USG20(W)-VPN Series: Firmware versions from V4.16 through V5.40
Zyxel has released patches to address this vulnerability. Users are strongly advised to update their devices to firmware version V5.41 or later to mitigate the risk. The patches are available on Zyxel’s official website.
Mitigation Measures
In addition to applying the firmware updates, users should consider the following mitigation measures to enhance security:
1. Disable Remote Web Access: If remote web access is not essential, disabling it can reduce the attack surface.
2. Enforce Strict Firewall Rules: Implement strict firewall rules to control access to CGI endpoints and monitor for anomalous `zysh-cgi` traffic.
3. Monitor System Logs: Regularly review system logs for any unauthorized access attempts or unusual activities.
4. Implement Network Segmentation: Segmenting the network can limit the potential impact of a compromised device.
Recommendations for Vendors
To prevent similar vulnerabilities in the future, vendors should consider the following recommendations:
– Tokenize Commands: Implement command tokenization to ensure each command is individually validated.
– Validate Sub-Commands: Perform thorough validation of each sub-command to prevent unauthorized command execution.
– Reject Command Chaining: Disallow command chaining to prevent attackers from executing multiple commands in a single request.
– Add CSRF Tokens: Incorporate Cross-Site Request Forgery (CSRF) tokens to enhance security against unauthorized requests.
– Implement Rate Limiting: Apply rate limiting to reduce the risk of automated attacks.
Conclusion
This vulnerability underscores the importance of robust input validation and comprehensive security measures in network devices. Organizations using Zyxel ATP and USG series firewalls should promptly apply the available patches and review their security configurations to prevent potential data breaches. Staying vigilant and proactive in addressing such vulnerabilities is crucial in maintaining network security.
