CVE-2025-9133

Name of the Vulnerable Software and Affected Versions Zyxel ATP series versions V4.32 through V5.40 Zyxel USG FLEX series versions V4.50 through V5.40 Zyxel USG FLEX 50(W) series versions V4.16 through V5.40 Zyxel USG20(W)-VPN series versions V4.16 through V5.40

Description A missing authorization flaw exists in Zyxel ATP, USG FLEX, and USG20(W)-VPN devices. An attacker who has completed the first stage of two-factor authentication (2FA) can view and download the system configuration. This is possible due to insufficient input validation and incorrect logic in the CGI interface, specifically within the zysh-cgi component. The attacker can inject commands into the cmd parameter, bypassing the 2FA process. The CGI interface does not properly sanitize the input string before passing it to the backend CLI, allowing execution of commands like show version and show running-config, ultimately revealing the device's configuration.

Recommendations Zyxel ATP series versions prior to V4.32 Zyxel USG FLEX series versions prior to V4.50 Zyxel USG FLEX 50(W) series versions prior to V4.16 Zyxel USG20(W)-VPN series versions prior to V4.16