Skip to main content
CVE Vulnerability Database

CVE-2025-9133: Zyxel ZLD Auth Bypass Vulnerability

CVE-2025-9133 is an authentication bypass flaw in Zyxel ZLD firmware that allows semi-authenticated attackers to access system configurations. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2025-9133 Overview

CVE-2025-9133 is a missing authorization vulnerability [CWE-862] affecting Zyxel ATP, USG FLEX, USG FLEX 50(W), and USG20(W)-VPN firewall series running ZLD firmware. The flaw allows a semi-authenticated attacker who has completed only the first stage of the two-factor authentication (2FA) process to view and download the system configuration from an affected device. Exposed configuration files contain credentials, VPN secrets, firewall rules, and network topology data that attackers can leverage for follow-on intrusions. Zyxel published the advisory on October 21, 2025, and the issue impacts firmware versions from V4.16/V4.32/V4.50 through V5.40 depending on the product line.

Critical Impact

An attacker who knows valid first-stage credentials can bypass the 2FA enforcement boundary and exfiltrate the complete firewall configuration, enabling lateral movement and persistent access into protected networks.

Affected Products

  • Zyxel ATP series (ATP100, ATP100W, ATP200, ATP500, ATP700, ATP800) firmware V4.32 through V5.40
  • Zyxel USG FLEX series (USG FLEX 100, 100AX, 100W, 200, 500, 700) firmware V4.50 through V5.40, and USG FLEX 50/50W/50AX firmware V4.16 through V5.40
  • Zyxel USG20(W)-VPN series firmware V4.16 through V5.40

Discovery Timeline

  • 2025-10-21 - Zyxel publishes security advisory for ZLD firewalls
  • 2025-10-21 - CVE-2025-9133 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-9133

Vulnerability Analysis

The vulnerability resides in the authorization logic of the ZLD firmware management interface. The affected appliances implement a two-stage authentication workflow in which a user submits credentials in the first stage and then completes a second factor before being granted a fully authorized session. Configuration export endpoints fail to validate that the second-stage check has succeeded before serving the requested data.

An attacker who possesses valid username and password credentials, whether obtained through phishing, credential reuse, or brute force against exposed management interfaces, can reach an intermediate session state. From that state the device incorrectly authorizes requests to configuration download endpoints. The exported configuration commonly includes administrator account hashes, IPsec pre-shared keys, SSL VPN settings, RADIUS secrets, and routing details.

The weakness maps to [CWE-862] Missing Authorization. The EPSS model assigns the CVE a probability of 5.462% at the 91.7 percentile, reflecting elevated interest in Zyxel edge devices among opportunistic attackers.

Root Cause

The firmware treats completion of the first authentication factor as sufficient to establish a session context that downstream handlers trust. Configuration retrieval endpoints query session validity but do not verify that 2FA has been completed. This design flaw collapses the security boundary that 2FA was meant to enforce.

Attack Vector

The attack is network-reachable and requires low complexity. An adversary needs valid first-stage credentials for an account on the device, typically an administrator or limited management user. After submitting those credentials and receiving the partial session token, the attacker issues an HTTP request against the configuration export endpoint and receives the device configuration without ever supplying the second factor. No user interaction is required beyond the attacker's own authentication.

No public proof-of-concept exploit has been published. The vulnerability mechanism is described in the Zyxel Security Advisory.

Detection Methods for CVE-2025-9133

Indicators of Compromise

  • Web management access logs showing successful first-stage logins immediately followed by configuration download requests without a corresponding 2FA success event
  • Configuration export HTTP requests originating from unexpected source IP addresses or geographies
  • New or modified administrator accounts, IPsec tunnels, or firewall rules appearing shortly after suspicious authentication activity
  • Outbound traffic from the firewall to attacker infrastructure following configuration download events

Detection Strategies

  • Correlate authentication events on ZLD devices, alerting when a session retrieves configuration data without a logged second-factor success
  • Parse Zyxel syslog streams for HTTP/HTTPS requests targeting configuration export URLs and flag those tied to incomplete authentication sequences
  • Baseline normal administrator behavior and flag off-hours configuration downloads, especially from IPs outside known management subnets

Monitoring Recommendations

  • Forward ZLD device logs to a centralized SIEM and retain authentication, session, and configuration management events for at least 90 days
  • Monitor for credential stuffing and brute-force patterns against the firewall management interface, which is the prerequisite stage for this attack
  • Alert on configuration backup files appearing in unexpected egress traffic or DLP inspection points

How to Mitigate CVE-2025-9133

Immediate Actions Required

  • Apply the firmware updates referenced in the Zyxel Security Advisory to all affected ATP, USG FLEX, USG FLEX 50(W), and USG20(W)-VPN devices
  • Rotate all administrator passwords, VPN pre-shared keys, RADIUS secrets, and API tokens stored on the appliance after patching
  • Restrict management interface access to a trusted internal management network and disable WAN-side administration

Patch Information

Zyxel released fixed firmware on October 21, 2025 addressing both the missing authorization issue and a related post-authentication command injection. Customers should download the appropriate firmware build for their hardware model from the Zyxel support portal and verify the device reports a version newer than V5.40 after upgrade.

Workarounds

  • Disable HTTP/HTTPS administration on WAN interfaces until firmware can be applied
  • Enforce source-IP restrictions on the management ACL to limit which hosts can reach the web interface
  • Audit and disable any non-essential administrator accounts to reduce the credential surface available to attackers
  • Enable account lockout and brute-force protection settings to slow credential discovery against first-stage authentication

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.