A important vulnerability in Zyxel’s ATP and USG sequence firewalls that enables attackers to bypass authorization controls and entry delicate system configurations.
Dubbed CVE-2025-9133, this flaw impacts units working firmware variations as much as V5.40(ABPS.0) and allows unauthorized viewing and downloading of configs even through the two-factor authentication (2FA) course of.
Disclosed on August 14, 2025, the difficulty stems from insufficient command filtering within the internet interface, probably exposing credentials, keys, and community settings to distant exploitation.
The vulnerability arises when a consumer with 2FA enabled logs into the system’s internet portal. Usually, they have to enter a one-time PIN through e-mail or an authenticator app to proceed.
Nevertheless, earlier than verification, the system sends semi-authenticated requests to the backend zysh-cgi binary, which handles configuration queries.
In response to Alessandro Sgreccia, who found the flaw parallel to CVE-2025-8078, discovered that attackers can manipulate these requests to inject instructions, evading a whitelist that restricts entry for unverified customers.
Bypassing By way of Command Injection
Utilizing instruments like Burp Suite, the researcher intercepted POST requests to /cgi-bin/zysh-cgi. These requests sometimes embody benign instructions like “present model” or “present customers present,” that are whitelisted for partial authentication states (consumer sort 0x14).
By appending unauthorized instructions with a semicolon equivalent to “present model;present running-config” the injection methods the system.
The binary performs prefix-based validation, checking solely the beginning of the string towards the allowlist. If it matches, your entire command chain is forwarded to the system’s CLI parser, executing the hidden payload with out additional scrutiny.
Makes an attempt to instantly entry configs through export-cgi or file_upload-cgi set off a 302 redirect to the login web page, implementing logout after failed 2FA tries.
However the zysh-cgi endpoint lacks this safety, returning full configuration dumps in JavaScript-serialized responses (e.g., zyshdata arrays) when filter=js2 is ready.
Binary evaluation of zysh-cgi revealed two execution paths primarily based on consumer profile: a restricted “engine” for non-admins that skips full validation, permitting the bypass.
With out splitting instructions on semicolons or re-validating sub-parts, the flaw turns a read-only question right into a full exfiltration vector.
This authorization bypass might allow attackers to reap passwords, API keys, and routing particulars, facilitating lateral motion in networks or persistence through config tampering.
Zyxel units, widespread in enterprise and SMB environments for risk safety, amplify the chance particularly because the flaw persists even with 2FA lively.
Zyxel has not but issued a patch as of October 2025, however specialists suggest speedy mitigations: disable distant internet entry, implement strict firewall guidelines on CGI endpoints, and monitor for anomalous zysh-cgi site visitors.
For remediation, distributors ought to tokenize instructions, validate every sub-command individually, and reject chaining solely. Including CSRF tokens and rate-limiting might bolster defenses.
As cybersecurity threats evolve, this incident underscores the hazards of incomplete enter sanitization in embedded techniques. Organizations utilizing Zyxel ATP/USG ought to audit configurations urgently to stop knowledge leaks.
Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to characteristic your tales.
