A essential authorization bypass vulnerability has emerged in ZYXEL’s ATP and USG sequence community safety home equipment, permitting attackers to bypass two-factor authentication protections and acquire unauthorized entry to delicate system configurations.
Tracked as CVE-2025-9133, this safety flaw impacts units operating ZLD firmware model 5.40 and was publicly disclosed on October 21, 2025, following a coordinated vulnerability disclosure course of.
The vulnerability exploits a weak spot within the authentication verification section, particularly focusing on the zysh-cgi binary that handles communication with the ZLD system for configuration queries and modifications.
The flaw allows menace actors to inject malicious instructions into authentication requests throughout the 2FA verification stage, successfully bypassing safety controls that might usually prohibit entry to essential system information.
When customers with two-factor authentication enabled log into affected units, they’re prompted to enter a verification code acquired by way of electronic mail or Google Authenticator.
Nevertheless, throughout this intermediate authentication state, the vulnerability permits attackers to control command strings despatched to the machine’s backend, granting them the flexibility to view and obtain full system configurations containing credentials, encryption keys, and different delicate safety parameters.
Rainpwn analyst recognized this vulnerability whereas conducting safety analysis on ZYXEL community home equipment in August 2025.
The researcher found that the authentication mechanism fails to correctly validate command inputs throughout the 2FA verification section, creating an exploitable window the place semi-authenticated customers can execute privileged operations.
This discovery got here parallel to a different essential vulnerability, CVE-2025-8078, highlighting systemic points in ZYXEL’s authentication implementation.
Command Injection and Whitelist Bypass Mechanism
The vulnerability stems from a elementary flaw in how the zysh-cgi endpoint processes and validates person instructions.
ZYXEL applied a whitelist-based safety management that theoretically restricts semi-authenticated customers to executing solely particular, pre-approved instructions akin to “present model” or “present customers present.”
Nevertheless, the validation mechanism solely performs prefix-based string matching with out tokenizing or splitting concatenated instructions.
This design weak spot permits attackers to chain a number of instructions utilizing semicolon separators, successfully smuggling unauthorized instructions alongside respectable ones.
The exploitation approach includes crafting a specifically formatted HTTP POST request to the /cgi-bin/zysh-cgi endpoint with a malicious command parameter.
A proof-of-concept exploit demonstrates this by sending:-
filter=js2&cmd=showpercent20version;showpercent20running-config&write=0
On this payload, “present model” matches the whitelist and passes preliminary validation checks. Nevertheless, as a result of the system doesn’t parse or validate instructions after the semicolon separator, the next “present running-config” command executes with full privileges regardless of not being explicitly licensed.
Your complete concatenated string is forwarded on to the backend CLI parser, which interprets the semicolon as a command separator and executes each operations sequentially.
When the system processes this request, it returns the entire machine configuration in JavaScript-formatted knowledge arrays, exposing delicate info together with administrative credentials, VPN keys, firewall guidelines, and community topology particulars.
The vulnerability particularly impacts customers assigned to restricted profiles with a person kind parameter worth of 0x14, which represents essentially the most constrained entry stage.
Binary evaluation of the zysh-cgi executable reveals that the code makes use of strncmp() perform calls to validate command prefixes however fails to implement correct command tokenization or recursive validation of chained operations.
The “filter=js2” parameter instructs the server to return knowledge in JavaScript format moderately than HTML, whereas “write=0” ensures the operation stays read-only, stopping unintentional system modifications whereas nonetheless exposing configuration knowledge.
This architectural flaw demonstrates how inadequate enter validation mixed with overly permissive command forwarding mechanisms can create essential safety vulnerabilities even in programs with multi-factor authentication enabled.
ZYXEL launched a firmware patch on October 20, 2025, and revealed their safety advisory on October 21, 2025, urging all ATP and USG sequence customers to instantly replace their units to remediate this essential vulnerability.
Comply with us on Google Information, LinkedIn, and X to Get Extra Instantaneous Updates, Set CSN as a Most well-liked Supply in Google.
