Introduction
Attackers who obtain valid credentials for Zyxel ATP or USG FLEX firewalls can download sensitive configuration files after passing only the first step of two-factor authentication. This flaw exposes network topology, VPN settings, and user data to adversaries with partial access, undermining the intended protections of multi-factor authentication.
About Zyxel: Zyxel is a prominent global vendor of networking hardware, including firewalls, switches, and wireless access points. Its ATP and USG FLEX series are widely deployed in enterprise and SMB environments. Zyxel products are used in thousands of organizations worldwide, making vulnerabilities in these devices particularly impactful for network security.
Technical Information
CVE-2025-9133 is a missing authorization vulnerability in Zyxel ZLD firmware. The issue affects the authentication flow for the web management interface and potentially other management endpoints. When a user logs in and completes only the first factor of two-factor authentication (username and password), the system creates a session object. Due to improper authorization logic, this session is not restricted as intended. The firmware fails to check whether the second authentication factor has been completed before allowing access to sensitive resources.
As a result, an attacker who has obtained valid credentials (via phishing, credential stuffing, or other means) can authenticate with only the first factor and directly access endpoints that allow viewing and downloading of the full system configuration. The vulnerability is categorized under CWE-862 (Missing Authorization), which covers failures to enforce proper authorization checks after authentication.
No public code snippets or endpoint details were available at the time of writing.
Affected Systems and Versions
The following Zyxel firewall products and firmware versions are affected:
- ATP Series: Firmware versions V4.32 through V5.40
- USG FLEX Series: Firmware versions V4.50 through V5.40
- USG FLEX 50(W) Series: Firmware versions V4.16 through V5.40
- USG20(W)-VPN Series: Firmware versions V4.16 through V5.40
Devices running these firmware versions in on-premise management mode are vulnerable. Devices managed via Zyxel Nebula cloud platform are not affected.
Vendor Security History
Zyxel has experienced multiple high-impact vulnerabilities in its firewall products, including:
- CVE-2023-28771 (improper error handling, remote code execution, CVSS 9.8)
- CVE-2022-0342 (authentication bypass)
- CVE-2022-30525 (OS command injection)
- CVE-2024-11667 (directory traversal, ransomware exploitation)
The company typically releases advisories and patches in a timely manner, but repeated issues in authentication and authorization logic indicate persistent challenges in secure firmware development.
