Skip to content
  • Blog Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form

ZYXEL Authorization Bypass Vulnerability Let Attackers View and Download System Configuration

Posted on October 22, 2025October 22, 2025 By CWS

A essential authorization bypass vulnerability has emerged in ZYXEL’s ATP and USG sequence community safety home equipment, permitting attackers to bypass two-factor authentication protections and acquire unauthorized entry to delicate system configurations.

Tracked as CVE-2025-9133, this safety flaw impacts units operating ZLD firmware model 5.40 and was publicly disclosed on October 21, 2025, following a coordinated vulnerability disclosure course of.

The vulnerability exploits a weak spot within the authentication verification section, particularly focusing on the zysh-cgi binary that handles communication with the ZLD system for configuration queries and modifications.

The flaw allows menace actors to inject malicious instructions into authentication requests throughout the 2FA verification stage, successfully bypassing safety controls that might usually prohibit entry to essential system information.

When customers with two-factor authentication enabled log into affected units, they’re prompted to enter a verification code acquired by way of electronic mail or Google Authenticator.

Nevertheless, throughout this intermediate authentication state, the vulnerability permits attackers to control command strings despatched to the machine’s backend, granting them the flexibility to view and obtain full system configurations containing credentials, encryption keys, and different delicate safety parameters.

Rainpwn analyst recognized this vulnerability whereas conducting safety analysis on ZYXEL community home equipment in August 2025.

The researcher found that the authentication mechanism fails to correctly validate command inputs throughout the 2FA verification section, creating an exploitable window the place semi-authenticated customers can execute privileged operations.

This discovery got here parallel to a different essential vulnerability, CVE-2025-8078, highlighting systemic points in ZYXEL’s authentication implementation.

Command Injection and Whitelist Bypass Mechanism

The vulnerability stems from a elementary flaw in how the zysh-cgi endpoint processes and validates person instructions.

ZYXEL applied a whitelist-based safety management that theoretically restricts semi-authenticated customers to executing solely particular, pre-approved instructions akin to “present model” or “present customers present.”

Nevertheless, the validation mechanism solely performs prefix-based string matching with out tokenizing or splitting concatenated instructions.

This design weak spot permits attackers to chain a number of instructions utilizing semicolon separators, successfully smuggling unauthorized instructions alongside respectable ones.

The exploitation approach includes crafting a specifically formatted HTTP POST request to the /cgi-bin/zysh-cgi endpoint with a malicious command parameter.

A proof-of-concept exploit demonstrates this by sending:-

filter=js2&cmd=showpercent20version;showpercent20running-config&write=0

On this payload, “present model” matches the whitelist and passes preliminary validation checks. Nevertheless, as a result of the system doesn’t parse or validate instructions after the semicolon separator, the next “present running-config” command executes with full privileges regardless of not being explicitly licensed.

Your complete concatenated string is forwarded on to the backend CLI parser, which interprets the semicolon as a command separator and executes each operations sequentially.

When the system processes this request, it returns the entire machine configuration in JavaScript-formatted knowledge arrays, exposing delicate info together with administrative credentials, VPN keys, firewall guidelines, and community topology particulars.

The vulnerability particularly impacts customers assigned to restricted profiles with a person kind parameter worth of 0x14, which represents essentially the most constrained entry stage.

Binary evaluation of the zysh-cgi executable reveals that the code makes use of strncmp() perform calls to validate command prefixes however fails to implement correct command tokenization or recursive validation of chained operations.

The “filter=js2” parameter instructs the server to return knowledge in JavaScript format moderately than HTML, whereas “write=0” ensures the operation stays read-only, stopping unintentional system modifications whereas nonetheless exposing configuration knowledge.

This architectural flaw demonstrates how inadequate enter validation mixed with overly permissive command forwarding mechanisms can create essential safety vulnerabilities even in programs with multi-factor authentication enabled.

ZYXEL launched a firmware patch on October 20, 2025, and revealed their safety advisory on October 21, 2025, urging all ATP and USG sequence customers to instantly replace their units to remediate this essential vulnerability.

Comply with us on Google Information, LinkedIn, and X to Get Extra Instantaneous Updates, Set CSN as a Most well-liked Supply in Google.

Cyber Security News Tags:Attackers, Authorization, Bypass, Configuration, Download, System, View, Vulnerability, Zyxel

Post navigation

Previous Post: Hackers Earn Over $520,000 on First Day of Pwn2Own Ireland 2025
Next Post: New GlassWorm Using Invisible Code Hits Attacking VS Code Extensions on OpenVSX Marketplace

Related Posts

Pakistani Threat Actors Targeting Indian Govt. With Email Mimic as ‘NIC eEmail Services’ Cyber Security News
Chinese APT Group IT Service Provider Leveraging Microsoft Console Debugger to Exfiltrate Data Cyber Security News
Evolution of DDoS Attacks Mitigation Strategies for 2025 Cyber Security News
Hackers Exploiting Adobe Magento RCE Vulnerability Exploited in the Wild Cyber Security News
Google Drive Desktop for Windows Vulnerability Grants Full Access to Another User’s Drive Cyber Security News
10 Best Security Service Edge (SSE) Solutions Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • New Malware Attack Using Variable Functions and Cookies to Evade and Hide Their Malicious Scripts
  • Threat Actors Tricks Target Users Via Impersonation and Fictional Financial Aid Offers
  • TransparentTribe Attack Linux-Based Systems of Indian Military Organizations to Deliver DeskRAT
  • Jingle Thief Attackers Exploiting Festive Season with Weaponized Gift Card Attacks
  • Smishing Triad Linked to 194,000 Malicious Domains in Global Phishing Operation

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • New Malware Attack Using Variable Functions and Cookies to Evade and Hide Their Malicious Scripts
  • Threat Actors Tricks Target Users Via Impersonation and Fictional Financial Aid Offers
  • TransparentTribe Attack Linux-Based Systems of Indian Military Organizations to Deliver DeskRAT
  • Jingle Thief Attackers Exploiting Festive Season with Weaponized Gift Card Attacks
  • Smishing Triad Linked to 194,000 Malicious Domains in Global Phishing Operation

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News