How ZeroPath Works
Back to Blog

Zyxel ATP and USG FLEX Firewalls CVE-2025-9133: Brief Summary of a Missing Authorization Vulnerability

This post provides a brief summary of CVE-2025-9133, a missing authorization vulnerability in Zyxel ATP, USG FLEX, USG FLEX 50(W), and USG20(W)-VPN firewalls. The flaw allows attackers who have completed only the first stage of two-factor authentication to download sensitive configuration files. Includes affected versions, technical details, and vendor security context.
CVE Analysis

8 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-10-20

Zyxel ATP and USG FLEX Firewalls CVE-2025-9133: Brief Summary of a Missing Authorization Vulnerability
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Attackers who obtain valid credentials for Zyxel ATP or USG FLEX firewalls can download sensitive configuration files after passing only the first step of two-factor authentication. This flaw exposes network topology, VPN settings, and user data to adversaries with partial access, undermining the intended protections of multi-factor authentication.

About Zyxel: Zyxel is a prominent global vendor of networking hardware, including firewalls, switches, and wireless access points. Its ATP and USG FLEX series are widely deployed in enterprise and SMB environments. Zyxel products are used in thousands of organizations worldwide, making vulnerabilities in these devices particularly impactful for network security.

Technical Information

CVE-2025-9133 is a missing authorization vulnerability in Zyxel ZLD firmware. The issue affects the authentication flow for the web management interface and potentially other management endpoints. When a user logs in and completes only the first factor of two-factor authentication (username and password), the system creates a session object. Due to improper authorization logic, this session is not restricted as intended. The firmware fails to check whether the second authentication factor has been completed before allowing access to sensitive resources.

As a result, an attacker who has obtained valid credentials (via phishing, credential stuffing, or other means) can authenticate with only the first factor and directly access endpoints that allow viewing and downloading of the full system configuration. The vulnerability is categorized under CWE-862 (Missing Authorization), which covers failures to enforce proper authorization checks after authentication.

No public code snippets or endpoint details were available at the time of writing.

Affected Systems and Versions

The following Zyxel firewall products and firmware versions are affected:

  • ATP Series: Firmware versions V4.32 through V5.40
  • USG FLEX Series: Firmware versions V4.50 through V5.40
  • USG FLEX 50(W) Series: Firmware versions V4.16 through V5.40
  • USG20(W)-VPN Series: Firmware versions V4.16 through V5.40

Devices running these firmware versions in on-premise management mode are vulnerable. Devices managed via Zyxel Nebula cloud platform are not affected.

Vendor Security History

Zyxel has experienced multiple high-impact vulnerabilities in its firewall products, including:

  • CVE-2023-28771 (improper error handling, remote code execution, CVSS 9.8)
  • CVE-2022-0342 (authentication bypass)
  • CVE-2022-30525 (OS command injection)
  • CVE-2024-11667 (directory traversal, ransomware exploitation)

The company typically releases advisories and patches in a timely manner, but repeated issues in authentication and authorization logic indicate persistent challenges in secure firmware development.

References

Detect & fix
what others miss

Get startedBook a demo