A critical authorization bypass vulnerability has emerged in ZYXEL’s ATP and USG series network security appliances, allowing attackers to circumvent two-factor authentication protections and gain unauthorized access to sensitive system configurations.
Tracked as CVE-2025-9133, this security flaw affects devices running ZLD firmware version 5.40 and was publicly disclosed on October 21, 2025, following a coordinated vulnerability disclosure process.
The vulnerability exploits a weakness in the authentication verification phase, specifically targeting the zysh-cgi binary that handles communication with the ZLD system for configuration queries and modifications.
The flaw enables threat actors to inject malicious commands into authentication requests during the 2FA verification stage, effectively bypassing security controls that would normally restrict access to critical system files.
When users with two-factor authentication enabled log into affected devices, they are prompted to enter a verification code received via email or Google Authenticator.
However, during this intermediate authentication state, the vulnerability allows attackers to manipulate command strings sent to the device’s backend, granting them the ability to view and download complete system configurations containing credentials, encryption keys, and other sensitive security parameters.
Rainpwn analyst identified this vulnerability while conducting security research on ZYXEL network appliances in August 2025.
The researcher discovered that the authentication mechanism fails to properly validate command inputs during the 2FA verification phase, creating an exploitable window where semi-authenticated users can execute privileged operations.
This discovery came parallel to another critical vulnerability, CVE-2025-8078, highlighting systemic issues in ZYXEL’s authentication implementation.
Command Injection and Whitelist Bypass Mechanism
The vulnerability stems from a fundamental flaw in how the zysh-cgi endpoint processes and validates user commands.
ZYXEL implemented a whitelist-based security control that theoretically restricts semi-authenticated users to executing only specific, pre-approved commands such as “show version” or “show users current.”
However, the validation mechanism only performs prefix-based string matching without tokenizing or splitting concatenated commands.
This design weakness allows attackers to chain multiple commands using semicolon separators, effectively smuggling unauthorized commands alongside legitimate ones.
The exploitation technique involves crafting a specially formatted HTTP POST request to the /cgi-bin/zysh-cgi endpoint with a malicious command parameter.
A proof-of-concept exploit demonstrates this by sending:-
filter=js2&cmd=show%20version;show%20running-config&write=0In this payload, “show version” matches the whitelist and passes initial validation checks. However, because the system does not parse or validate commands after the semicolon separator, the subsequent “show running-config” command executes with full privileges despite not being explicitly authorized.
The entire concatenated string is forwarded directly to the backend CLI parser, which interprets the semicolon as a command separator and executes both operations sequentially.
When the system processes this request, it returns the complete device configuration in JavaScript-formatted data arrays, exposing sensitive information including administrative credentials, VPN keys, firewall rules, and network topology details.
The vulnerability specifically affects users assigned to restricted profiles with a user type parameter value of 0x14, which represents the most constrained access level.
Binary analysis of the zysh-cgi executable reveals that the code uses strncmp() function calls to validate command prefixes but fails to implement proper command tokenization or recursive validation of chained operations.
The “filter=js2” parameter instructs the server to return data in JavaScript format rather than HTML, while “write=0” ensures the operation remains read-only, preventing accidental system modifications while still exposing configuration data.
This architectural flaw demonstrates how insufficient input validation combined with overly permissive command forwarding mechanisms can create critical security vulnerabilities even in systems with multi-factor authentication enabled.
ZYXEL released a firmware patch on October 20, 2025, and published their security advisory on October 21, 2025, urging all ATP and USG series users to immediately update their devices to remediate this critical vulnerability.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
