A critical vulnerability in Zyxel’s ATP and USG series firewalls that allows attackers to bypass authorization controls and access sensitive system configurations.
Dubbed CVE-2025-9133, this flaw affects devices running firmware versions up to V5.40(ABPS.0) and enables unauthorized viewing and downloading of configs even during the two-factor authentication (2FA) process.
Disclosed on August 14, 2025, the issue stems from inadequate command filtering in the web interface, potentially exposing credentials, keys, and network settings to remote exploitation.
The vulnerability arises when a user with 2FA enabled logs into the device’s web portal. Normally, they must enter a one-time PIN via email or an authenticator app to proceed.
However, before verification, the system sends semi-authenticated requests to the backend zysh-cgi binary, which handles configuration queries.
According to Alessandro Sgreccia, who discovered the flaw parallel to CVE-2025-8078, found that attackers can manipulate these requests to inject commands, evading a whitelist that restricts access for unverified users.
Bypassing Via Command Injection
Using tools like Burp Suite, the researcher intercepted POST requests to /cgi-bin/zysh-cgi. These requests typically include benign commands like “show version” or “show users current,” which are whitelisted for partial authentication states (user type 0x14).
By appending unauthorized commands with a semicolon such as “show version;show running-config” the injection tricks the system.
The binary performs prefix-based validation, checking only the start of the string against the allowlist. If it matches, the entire command chain is forwarded to the device’s CLI parser, executing the hidden payload without further scrutiny.
Attempts to directly access configs via export-cgi or file_upload-cgi trigger a 302 redirect to the login page, enforcing logout after failed 2FA tries.
But the zysh-cgi endpoint lacks this protection, returning full configuration dumps in JavaScript-serialized responses (e.g., zyshdata arrays) when filter=js2 is set.
Binary analysis of zysh-cgi revealed two execution paths based on user profile: a restricted “engine” for non-admins that skips full validation, allowing the bypass.
Without splitting commands on semicolons or re-validating sub-parts, the flaw turns a read-only query into a full exfiltration vector.
This authorization bypass could enable attackers to harvest passwords, API keys, and routing details, facilitating lateral movement in networks or persistence via config tampering.
Zyxel devices, popular in enterprise and SMB environments for threat protection, amplify the risk especially since the flaw persists even with 2FA active.
Zyxel has not yet issued a patch as of October 2025, but experts recommend immediate mitigations: disable remote web access, enforce strict firewall rules on CGI endpoints, and monitor for anomalous zysh-cgi traffic.
For remediation, vendors should tokenize commands, validate each sub-command individually, and reject chaining entirely. Adding CSRF tokens and rate-limiting could bolster defenses.
As cybersecurity threats evolve, this incident underscores the dangers of incomplete input sanitization in embedded systems. Organizations using Zyxel ATP/USG should audit configurations urgently to prevent data leaks.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
