CVE-2025-6599 Overview
An uncontrolled resource consumption vulnerability has been identified in the web server component of numerous Zyxel network devices. This vulnerability allows remote attackers to perform Slowloris-style denial-of-service (DoS) attacks against the web management interface of affected devices. The attack exploits how the web server handles concurrent HTTP connections, enabling an attacker to exhaust server resources by maintaining multiple incomplete connections.
Critical Impact
Attackers can temporarily block legitimate HTTP requests and partially disrupt access to the web management interface, potentially preventing administrators from managing critical network infrastructure during an attack.
Affected Products
- Zyxel DX3301-T0 firmware version 5.50(ABVY.6.3)C0 and earlier
- Zyxel 4G LTE/5G NR CPE devices (LTE3301-Plus, NR5103, NR5103E, NR5309, NR7302, NR7303 series)
- Zyxel DSL/Ethernet CPE devices (DX/EX/VMG/EMG series)
- Zyxel Fiber ONTs (PM/PX/AX series)
- Zyxel Nebula FWA series (FWA505, FWA510, FWA515, FWA710)
- Zyxel Security Routers and Wireless Extenders (SCR 50AXE, WX/WE series)
Discovery Timeline
- November 18, 2025 - CVE-2025-6599 published to NVD
- December 16, 2025 - Last updated in NVD database
Technical Details for CVE-2025-6599
Vulnerability Analysis
This vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption). The web server embedded in affected Zyxel devices fails to properly limit the number of concurrent connections or enforce appropriate connection timeouts. When an attacker initiates multiple HTTP connections and intentionally sends data at an extremely slow rate—or leaves connections open without completing the HTTP request—the server's connection pool becomes exhausted.
The Slowloris attack technique is particularly effective against web servers with limited connection handling capacity, which is common in embedded devices like routers and network appliances. Unlike volumetric DDoS attacks, Slowloris requires minimal bandwidth and can be executed from a single machine, making it accessible to attackers with limited resources.
Root Cause
The root cause lies in the web server's resource management implementation. The affected firmware versions do not implement adequate connection timeouts or rate limiting for incoming HTTP connections. The web server maintains open connections waiting for complete HTTP requests without enforcing a reasonable maximum wait time or connection limit per source IP address. This design flaw allows an attacker to consume all available connection slots, preventing legitimate users from accessing the management interface.
Attack Vector
The attack can be launched remotely over the network without requiring authentication. An attacker sends partial HTTP requests to the target device's web management interface and maintains these connections by periodically sending additional HTTP headers. The server keeps these connections open, waiting for the complete request that never arrives. By opening hundreds or thousands of such connections, the attacker exhausts the server's connection pool.
While other networking services such as routing, DHCP, and data forwarding remain unaffected, the denial of access to the web management interface can significantly impact an organization's ability to respond to network incidents or perform configuration changes during an attack.
Detection Methods for CVE-2025-6599
Indicators of Compromise
- Unusually high number of concurrent TCP connections to port 80 or 443 on affected devices from single or limited source IP addresses
- Web management interface becomes unresponsive or extremely slow while other device functions continue normally
- Log entries showing numerous incomplete HTTP requests or connection timeouts
- Elevated memory or connection tracking resource utilization on the device
Detection Strategies
- Monitor network traffic for patterns consistent with Slowloris attacks, including many connections with minimal data transfer
- Implement connection rate monitoring to detect anomalous spikes in TCP connection attempts to device management interfaces
- Configure SIEM rules to alert on repeated HTTP request timeouts from the same source addresses
- Deploy network-based intrusion detection signatures for known Slowloris attack patterns
Monitoring Recommendations
- Establish baseline metrics for normal web management interface connection patterns
- Monitor device resource utilization including active connection counts and memory usage
- Configure alerting thresholds for connection pool exhaustion indicators
- Review device logs regularly for signs of connection flooding or timeout errors
How to Mitigate CVE-2025-6599
Immediate Actions Required
- Apply the latest firmware updates from Zyxel that address this vulnerability
- Restrict web management interface access to trusted IP addresses or networks using firewall rules
- Consider disabling HTTP/HTTPS management interface access from untrusted networks (WAN side)
- Implement network-level rate limiting for connections to device management interfaces
- Enable any available connection timeout or rate limiting features on the affected devices
Patch Information
Zyxel has released security advisories and firmware updates addressing this vulnerability. Administrators should consult the Zyxel Security Advisory for device-specific firmware versions that contain the fix. Organizations should prioritize updating all affected devices, particularly those with management interfaces exposed to untrusted networks.
Workarounds
- Restrict management interface access to internal networks only by configuring firewall rules to block external access to ports 80 and 443
- Implement an external reverse proxy or web application firewall with Slowloris protection in front of device management interfaces
- Use out-of-band management networks for critical network infrastructure devices
- Consider temporarily disabling the web management interface and using CLI-based management methods where available
# Example firewall rule to restrict management access (adjust for your environment)
# Allow management access only from trusted admin network
iptables -A INPUT -p tcp --dport 80 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
