CVE-2025-9133 – A missing authorization vulnerability in Zyxel ... (How to Fix)

Q: What is the severity of CVE-2025-9133?

CVE-2025-9133 has a CVSS score of 8.1 (HIGH). A missing authorization vulnerability in Zyxel firewall devices allows semi-authenticated attackers who have completed only the first stage of 2FA to view and download system configurations. This affects Zyxel ATP, USG FLEX, USG FLEX 50(W), and USG20(W)-VPN series firewalls with vulnerable firmware versions. Attackers could gain sensitive network information including firewall rules, VPN configurations, and network topology.

📋 TL;DR

A missing authorization vulnerability in Zyxel firewall devices allows semi-authenticated attackers who have completed only the first stage of 2FA to view and download system configurations. This affects Zyxel ATP, USG FLEX, USG FLEX 50(W), and USG20(W)-VPN series firewalls with vulnerable firmware versions. Attackers could gain sensitive network information including firewall rules, VPN configurations, and network topology.

💻 Affected Systems

Products:

Zyxel ATP series
Zyxel USG FLEX series
Zyxel USG FLEX 50(W) series
Zyxel USG20(W)-VPN series

Versions: ATP: V4.32 through V5.40; USG FLEX: V4.50 through V5.40; USG FLEX 50(W): V4.16 through V5.40; USG20(W)-VPN: V4.16 through V5.40

Operating Systems: Zyxel ZLD firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All devices with vulnerable firmware versions are affected regardless of configuration. Requires attacker to complete first stage of 2FA authentication.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers obtain complete network configuration including firewall rules, VPN credentials, and internal network topology, enabling further attacks or network compromise.

🟠

Likely Case

Attackers download configuration files containing sensitive network information, firewall rules, and potentially credentials for follow-on attacks.

🟢

If Mitigated

Limited exposure of configuration details if proper network segmentation and access controls are implemented.

🌐 Internet-Facing: HIGH - Firewalls are typically internet-facing, and attackers with partial authentication could exploit this remotely.

🏢 Internal Only: MEDIUM - Internal attackers with partial authentication could still access sensitive configuration data.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Requires only partial authentication (first stage of 2FA) to access configuration download functionality.

Exploitation requires attacker to have completed first authentication factor. No public exploit code is currently available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after V5.40 for all affected series

Vendor Advisory: https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-command-injection-and-missing-authorization-vulnerabilities-in-zld-firewalls-10-21-2025

Restart Required: Yes

Instructions:

1. Download latest firmware from Zyxel support portal. 2. Backup current configuration. 3. Upload and install firmware update via web interface. 4. Reboot device. 5. Verify firmware version is above V5.40.

🔧 Temporary Workarounds

Disable web management access

all

Restrict web management interface access to trusted IP addresses only

Configure firewall rules to restrict web management port (default 443) to specific source IPs

Enable full 2FA enforcement

all

Ensure all administrative access requires complete 2FA authentication

Verify 2FA is enabled and configured to require both factors for all administrative functions

🧯 If You Can't Patch

Implement strict network segmentation to isolate firewall management interfaces
Monitor for unauthorized configuration download attempts and review access logs regularly

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface: System > Maintenance > Firmware or via CLI: show version

Check Version:

show version (CLI) or check System > Maintenance > Firmware in web interface

Verify Fix Applied:

Verify firmware version is above V5.40 and test that configuration download requires full 2FA authentication

📡 Detection & Monitoring

Log Indicators:

Unauthorized configuration download attempts
Access to configuration download endpoints without full 2FA completion
Multiple failed 2FA attempts followed by configuration access

Network Indicators:

Unexpected downloads of configuration files from firewall management interface
Traffic to configuration download endpoints from untrusted sources

SIEM Query:

source="firewall_logs" AND (event="configuration_download" OR uri="/cgi-bin/download_config") AND NOT (auth_status="full_2fa")

📊 Metadata

CVE ID: CVE-2025-9133

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-862

EPSS Score: 0.07% exploit probability (21.9th percentile)

Published: October 21, 2025

Last Updated: October 28, 2025

🔗 References

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-command-injection-and-missing-authorization-vulnerabilities-in-zld-firewalls-10-21-2025 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-9133, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Zld by Zyxel

Zld by Zyxel

Zld by Zyxel

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable web management access

Enable full 2FA enforcement

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities