CVE-2025-6265: Zyxel NWA50AX Path Traversal Vulnerability

CVE-2025-6265 Overview

CVE-2025-6265 is a path traversal vulnerability (CWE-22) in the file_upload-cgi CGI program of multiple Zyxel access point firmware images. An authenticated attacker with administrator privileges can traverse outside the intended upload directory to access specific directories and delete files, including the device configuration file. The flaw affects Zyxel NWA50AX PRO firmware version 7.10(ACGE.2) and earlier, along with a broad range of related NWA, WAC, WAX, and WBE access point models. Zyxel published the corresponding security advisory on July 15, 2025.

Critical Impact

An authenticated administrator can delete arbitrary files on affected access points, including the running configuration, leading to service disruption and loss of device state.

Affected Products

• Zyxel NWA50AX, NWA50AX PRO, NWA55AXE, NWA90AX, NWA90AX PRO, NWA110AX, NWA130BE, NWA210AX, NWA220AX-6E, NWA1123AC PRO firmware (7.10(ACGE.2) and earlier for NWA50AX PRO)
• Zyxel WAC500H, WAC5302D-SV2, WAC6103D-I, WAX300H, WAX510D, WAX610D, WAX620D-6E, WAX630S, WAX640S-6E, WAX650S, WAX655E firmware
• Zyxel WBE530 and WBE660S firmware

Discovery Timeline

• 2025-07-15 - Zyxel publishes security advisory for path traversal in access points
• 2025-07-15 - CVE-2025-6265 published to NVD
• 2026-01-14 - Last updated in NVD database

Technical Details for CVE-2025-6265

Vulnerability Analysis

The vulnerability resides in the file_upload-cgi CGI handler exposed by the access point management interface. The handler accepts file path parameters from authenticated administrators but fails to canonicalize or restrict the supplied path. Attackers supply path traversal sequences such as ../ to escape the intended upload directory and reach other locations on the device filesystem. Once outside the intended directory, the handler permits deletion of files the CGI process can access, including the access point configuration file. Loss of the configuration file disrupts wireless service and forces administrators to rebuild device state from backup.

Root Cause

The file_upload-cgi program performs insufficient validation of user-supplied filename or path parameters. Input is concatenated into a filesystem path without rejecting traversal metacharacters or enforcing a canonical base directory. This is a classic CWE-22 Improper Limitation of a Pathname to a Restricted Directory.

Attack Vector

Exploitation requires network access to the access point management interface and valid administrator credentials. The attacker submits a crafted request to the file_upload-cgi endpoint containing relative traversal sequences in a file path parameter. The CGI then operates on the attacker-chosen target path, enabling deletion of files such as the configuration store. Refer to the Zyxel Security Advisory for vendor-confirmed technical details.

No public proof-of-concept or in-the-wild exploitation has been reported for CVE-2025-6265 at the time of publication.

Detection Methods for CVE-2025-6265

Indicators of Compromise

• HTTP or HTTPS requests to the file_upload-cgi endpoint containing ../, ..%2f, or URL-encoded traversal sequences in path or filename parameters.
• Unexpected access point reboots, loss of configuration, or factory-default behavior on managed devices.
• Administrator session activity from unfamiliar source IP addresses preceding configuration loss events.

Detection Strategies

• Inspect access point web server logs for file_upload-cgi requests containing traversal patterns or references to paths outside the upload directory.
• Correlate administrator authentication events with subsequent file upload CGI activity to spot abuse of valid credentials.
• Monitor configuration integrity via periodic backups and hash comparison to detect unauthorized deletion or modification.

Monitoring Recommendations

• Forward access point syslog and web management logs to a centralized log analytics or SIEM platform for long-term retention and querying.
• Alert on repeated failed administrator authentication attempts against the access point management interface.
• Track firmware versions across the fleet to identify devices still running vulnerable builds at or below 7.10(ACGE.2) for NWA50AX PRO and equivalent versions for other models.

How to Mitigate CVE-2025-6265

Immediate Actions Required

• Apply the firmware update published in the Zyxel Security Advisory to all affected access point models.
• Rotate administrator credentials on Zyxel access points and enforce strong, unique passwords.
• Back up current device configurations before patching so service can be restored quickly if needed.

Patch Information

Zyxel released fixed firmware for the affected NWA, WAC, WAX, and WBE access point families. Administrators should consult the Zyxel Security Advisory for the specific fixed firmware version that corresponds to each device model and apply it through the standalone web interface or Nebula cloud management.

Workarounds

• Restrict access to the access point web management interface to trusted management VLANs or jump hosts using ACLs or firewall rules.
• Disable remote (WAN-side) administration on the access points and require management traffic to traverse a VPN.
• Limit the number of accounts with administrator privileges and audit account usage regularly until patching is complete.

# Example: restrict AP management access at an upstream firewall
# Replace interface names and addresses to match your environment
iptables -A FORWARD -p tcp -s 10.10.50.0/24 -d 10.20.0.0/16 --dport 443 -j ACCEPT
iptables -A FORWARD -p tcp -d 10.20.0.0/16 --dport 443 -j DROP
iptables -A FORWARD -p tcp -d 10.20.0.0/16 --dport 80  -j DROP