A Critical Vulnerability in Zyxel Firewalls
A significant security flaw has been identified in Zyxel’s ATP and USG series firewalls, granting potential attackers the capability to circumvent authorization controls and gain access to sensitive system configurations.
Referred to as CVE-2025-9133, this vulnerability affects devices operating on firmware versions up to V5.40(ABPS.0). Alarmingly, it permits unauthorized visibility and downloading of configurations, even during the secondary authentication process requiring two-factor authentication (2FA).
The vulnerability, revealed on August 14, 2025, originates from inadequate command filtering present in the web interface. This deficiency could lead to the exposure of critical information, such as credentials, keys, and network settings, facilitating remote exploitation.
The issue manifests when a user with 2FA enabled accesses the device’s web portal. Under normal circumstances, they must provide a one-time PIN through either email or an authentication application to proceed with the login.
However, prior to this verification, the system transmits semi-authenticated requests to the backend component known as zysh-cgi, responsible for handling configuration inquiries.
Alessandro Sgreccia, who discovered this vulnerability concurrently with CVE-2025-8078, indicated that attackers can exploit these requests by injecting commands, thereby circumventing a whitelist designed to restrict access for unauthorized users.
Bypassing Via Command Injection
Utilizing advanced tools such as Burp Suite, the researcher intercepted POST requests directed at /cgi-bin/zysh-cgi. These requests commonly encompass innocuous commands, such as “show version” or “show users current,” which are permitted under partial authentication states (user type 0x14).
By appending unauthorized commands using a semicolon (e.g., “show version; show running-config”), the injection exploits the system’s limitations.
The binary employs prefix-based validation, checking only the beginning of the string against an allowlist. If a match is found, the complete command chain is forwarded to the device’s Command Line Interface (CLI) parser, executing the concealed payload without further examination.
In contrast, attempts to access configurations via export-cgi or file_upload-cgi result in a `302` redirect to the login page, enforcing a logout after unsuccessful 2FA attempts.
Yet, the zysh-cgi endpoint lacks this protective measure, returning full configuration dumps encapsulated in JavaScript-serialized responses (e.g., zyshdata arrays) when filter=js2 is specified.
An analysis of the zysh-cgi binary unveiled two execution pathways based on user profiles: a constrained “engine” for non-admins that omits comprehensive validation, permitting authorization bypass.
The failure to split commands on semicolons or to re-validate sub-elements transforms what should be a read-only query into a comprehensive exfiltration channel.
This authorization bypass could empower attackers to harvest sensitive information, such as passwords, API keys, and routing details, thereby facilitating lateral movement within networks or enabling persistent access through configuration manipulation.
Zyxel devices, favored in enterprise and SMB (small and medium-sized business) settings for threat mitigation, exacerbate the risk due to the persistence of this flaw, even when 2FA is engaged.
As of October 2025, Zyxel has yet to issue a patch for this vulnerability. Cybersecurity experts strongly advise immediate remedial actions: disabling remote web access, imposing stringent firewall regulations on CGI endpoints, and monitoring for anomalous zysh-cgi traffic.
For effective remediation, vendors should implement command tokenization, validate each sub-command individually, and entirely disallow command chaining. Incorporating CSRF tokens and rate-limiting measures could further enhance security.
This incident highlights the urgent need for robust input sanitization in embedded systems as cybersecurity threats continue to evolve. Organizations utilizing Zyxel ATP/USG products should conduct an immediate audit of their configurations to avert potential data leaks.
Source link: Cybersecuritynews.com.
