A serious security flaw has been discovered in Zyxel’s ATP and USG series network security appliances, enabling attackers to bypass two-factor authentication and access sensitive system configurations without authorization.
Identified as CVE-2025-9133, this vulnerability impacts devices running ZLD firmware version 5.40 and was publicly disclosed on October 21, 2025, following a coordinated disclosure.
The flaw targets the zysh-cgi binary, which handles configuration requests and modifications on the ZLD system. Attackers can exploit weaknesses during the two-factor authentication process, injecting malicious commands that allow them to access critical system files.
Users with 2FA enabled normally provide a verification code via email or Google Authenticator during login. However, the vulnerability allows attackers to manipulate commands during this intermediate authentication step, enabling them to view and download complete system configurations, including administrative credentials, encryption keys, and other sensitive security parameters.
Discovery and Analysis
Security researcher Rainpwn identified this vulnerability in August 2025 while examining Zyxel appliances. The investigation revealed that the authentication system fails to validate commands properly during the 2FA verification phase, allowing semi-authenticated users to execute privileged operations.
This discovery coincided with another critical flaw, CVE-2025-8078, highlighting ongoing issues in Zyxel’s authentication design.
Command Injection and Whitelist Bypass
The root cause lies in the zysh-cgi endpoint, which uses a whitelist to restrict semi-authenticated users to specific commands, like show version or show users current.
However, the validation only checks command prefixes and does not split concatenated commands. Attackers can chain multiple commands with semicolons, executing unauthorized instructions alongside valid ones.
For example, a proof-of-concept HTTP POST request to /cgi-bin/zysh-cgi might include:
filter=js2&cmd=show%20version;show%20running-config&write=0
Here, show version passes the whitelist check, but show running-config executes with full privileges because the system does not validate commands after the semicolon. This returns the device’s complete configuration in JavaScript-formatted arrays, exposing sensitive details like VPN keys, firewall rules, and network topology.
This vulnerability mainly affects users with restricted profiles (user type 0x14). Analysis shows the zysh-cgi binary uses strncmp() to validate prefixes but fails to tokenize or recursively validate chained commands.
The parameters filter=js2 and write=0 instruct the system to return read-only JavaScript data, ensuring no accidental modifications while still revealing sensitive information.
Remediation
Zyxel issued a firmware update on October 20, 2025, and released an advisory on October 21, 2025, urging all ATP and USG users to update immediately to mitigate this critical vulnerability.
