CVE-2025-6265
📋 TL;DR
This path traversal vulnerability in Zyxel NWA50AX PRO access points allows authenticated administrators to delete critical files like configuration files by manipulating file paths. It affects firmware version 7.10(ACGE.2) and earlier. Attackers need administrator credentials to exploit this vulnerability.
💻 Affected Systems
- Zyxel NWA50AX PRO
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with admin credentials could delete the configuration file, causing device malfunction, loss of network settings, and requiring factory reset and manual reconfiguration.
Likely Case
Malicious insider or compromised admin account could delete configuration files, disrupting network services and requiring administrative recovery.
If Mitigated
With proper access controls and monitoring, impact is limited to authorized administrators who should not have destructive access to critical system files.
🎯 Exploit Status
Exploitation requires admin credentials but path traversal techniques are well-understood and simple to implement.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firmware version after 7.10(ACGE.2)
Vendor Advisory: https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-path-traversal-vulnerability-in-aps-07-15-2025
Restart Required: Yes
Instructions:
1. Download latest firmware from Zyxel support portal. 2. Log into device web interface. 3. Navigate to Maintenance > Firmware Upgrade. 4. Upload and apply new firmware. 5. Device will reboot automatically.
🔧 Temporary Workarounds
Restrict Admin Access
allLimit administrative access to trusted users only and implement strong authentication controls.
Disable Unnecessary CGI
allIf file_upload-cgi is not required, disable it through device configuration.
🧯 If You Can't Patch
- Implement strict access controls and monitor admin account usage
- Regularly backup configuration files and maintain offline copies
🔍 How to Verify
Check if Vulnerable:
Check firmware version in web interface under Maintenance > System Information. If version is 7.10(ACGE.2) or earlier, device is vulnerable.Check Version:
No CLI command available. Use web interface: Maintenance > System InformationVerify Fix Applied:
After patching, verify firmware version shows higher than 7.10(ACGE.2) in System Information.📡 Detection & Monitoring
Log Indicators:
- Unusual file deletion events in system logs
- Multiple failed authentication attempts followed by successful admin login
Network Indicators:
- Unusual HTTP requests to file_upload-cgi with path traversal patterns
SIEM Query:
source="zyxel_logs" AND (event="file_deletion" OR uri="*file_upload-cgi*") AND (path="*../*" OR path="*/../*")