CVE-2025-8078 Overview
CVE-2025-8078 is a post-authentication command injection vulnerability affecting Zyxel ZLD-based firewall appliances. The flaw resides in the command-line interface (CLI) handler, where a crafted string passed as an argument to a CLI command is executed by the underlying operating system shell. An authenticated attacker with administrator privileges can leverage this weakness to run arbitrary operating system commands on the device. The vulnerability is tracked as CWE-78 (OS Command Injection) and impacts Zyxel ATP, USG FLEX, USG FLEX 50(W), and USG20(W)-VPN series running affected ZLD firmware between V4.16 and V5.40.
Critical Impact
Authenticated administrators can execute arbitrary OS commands on perimeter firewall appliances, enabling full device compromise, lateral movement, and persistence on the security boundary.
Affected Products
- Zyxel ATP series firmware V4.32 through V5.40 (ATP100, ATP100W, ATP200, ATP500, ATP700, ATP800)
- Zyxel USG FLEX series firmware V4.50 through V5.40 (USG FLEX 100, 100AX, 100W, 200, 500, 700)
- Zyxel USG FLEX 50(W) and USG20(W)-VPN firmware V4.16 through V5.40
Discovery Timeline
- 2025-10-21 - Zyxel publishes security advisory for ZLD firewalls
- 2025-10-21 - CVE-2025-8078 published to NVD
- 2025-10-28 - Last updated in NVD database
Technical Details for CVE-2025-8078
Vulnerability Analysis
The vulnerability is an OS command injection flaw reachable through the device CLI after successful authentication as an administrator. When a specific CLI command receives an argument, the firmware passes that input to an underlying shell or system call without sufficient sanitization. An attacker can embed shell metacharacters in the argument to break out of the intended command context and execute arbitrary commands in the firewall operating environment.
Because the affected devices function as network perimeter security appliances, command execution at the OS level provides direct access to firewall configuration, traffic inspection logic, VPN credentials, and routing tables. The attack requires the highest privilege level on the device, but successful exploitation yields complete control of the appliance and the network segments it protects.
Root Cause
The root cause is improper neutralization of special elements in CLI command arguments, classified as CWE-78. The CLI parser accepts user-supplied strings and forwards them to an OS-level execution function without escaping shell metacharacters such as backticks, semicolons, pipes, or command substitution sequences. The CLI handler treats administrator input as trusted, but a crafted argument can transition execution from the constrained CLI context to the underlying shell.
Attack Vector
Exploitation requires network access to the CLI service (typically SSH or the web-based console CLI) and valid administrator credentials. After authentication, the attacker issues the vulnerable CLI command with a payload appended to the legitimate argument. The injected payload runs with the privileges of the CLI process, which on ZLD firewalls operates with elevated system rights. Practical attack scenarios include credential reuse from prior breaches, compromise of administrator workstations, and post-exploitation pivoting after initial access to the management network.
No public proof-of-concept is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS probability is 0.121%.
Detection Methods for CVE-2025-8078
Indicators of Compromise
- Unexpected administrator CLI sessions over SSH or the web console, particularly from non-management source IPs or outside maintenance windows.
- CLI command history entries containing shell metacharacters (;, |, `, $(, &&) inside argument fields where only plain identifiers are expected.
- New cron jobs, startup scripts, or modified system binaries on the firewall that were not introduced by an authorized firmware update.
- Outbound connections originating from the firewall management plane to unfamiliar hosts.
Detection Strategies
- Forward Zyxel device logs and CLI audit trails to a centralized SIEM and alert on administrator command arguments containing shell escape characters.
- Baseline normal administrator activity (source IP, commands issued, time of day) and flag deviations such as long argument strings or commands invoked from new operators.
- Monitor authentication logs for successful admin logins followed quickly by unusual CLI commands, configuration exports, or firmware-level operations.
Monitoring Recommendations
- Restrict management interface exposure and log every administrative session, including full command-line arguments where supported.
- Correlate Zyxel audit events with network telemetry to identify firewall-originated traffic that bypasses normal egress paths.
- Review configuration change diffs after every administrator session to identify silent modifications introduced through injected commands.
How to Mitigate CVE-2025-8078
Immediate Actions Required
- Apply the firmware updates published in the Zyxel Security Advisory of October 21, 2025 to all affected ATP, USG FLEX, USG FLEX 50(W), and USG20(W)-VPN appliances.
- Rotate all administrator credentials and any shared secrets (VPN pre-shared keys, RADIUS secrets) stored on the device, assuming they may have been exposed.
- Audit administrator accounts and remove unused or stale accounts; enforce multi-factor authentication for all remaining accounts.
- Review firewall configuration, scripts, and scheduled jobs for unauthorized modifications introduced before patching.
Patch Information
Zyxel has released firmware updates that remediate CVE-2025-8078 alongside related missing-authorization issues. Refer to the Zyxel Security Advisory for the specific fixed ZLD firmware version applicable to each ATP, USG FLEX, and USG20(W)-VPN model.
Workarounds
- Restrict CLI and management interface access to a dedicated management VLAN and a minimal allow-list of administrator source IP addresses.
- Disable WAN-side access to SSH, HTTPS management, and the web console; require VPN access before any administrative connection.
- Enforce strong, unique administrator passwords and enable two-factor authentication on all administrative accounts to limit credential abuse.
- Continuously monitor administrator session logs until firmware patches are deployed across the fleet.
# Configuration example - restrict management access to trusted subnet only
Router# configure terminal
Router(config)# service-control SSH address-object MGMT_NET
Router(config)# service-control HTTPS address-object MGMT_NET
Router(config)# service-control WWW deny WAN
Router(config)# write
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
