CVE-2025-9133_CVE-2025-9133

8.1 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Description

A missing authorization vulnerability in Zyxel ATP series firmware versions from V4.32 through V5.40, USG FLEX series firmware versions from V4.50 through V5.40, USG FLEX 50(W) series firmware versions from V4.16 through V5.40, and USG20(W)-VPN series firmware versions from V4.16 through V5.40 could allow a semi-authenticated attacker—who has completed only the first stage of the two-factor authentication (2FA) process—to view and download the system configuration from an affected device.

Basic Information

ID CVE-2025-9133

Source Zyxel

Published Oct 21, 2025 at 01:57

Affected Product

Vendor Zyxel

Product ATP series firmware

Version versions from V4.32 through V5.40

Affected Versions Zyxel ATP series firmware versions from V4.32 through V5.40
Zyxel USG FLEX series firmware versions from V4.50 through V5.40
Zyxel USG FLEX 50(W) series firmware versions from V4.16 through V5.40
Zyxel USG20(W)-VPN series firmware versions from V4.16 through V5.40

CWE Classification

CWE-862

References

www.zyxel.com /global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-command-injection-and-missing-authorization-vulnerabilities-in-zld-firewalls-10-21-2025

{
    "lastseen": "",
    "description": "A missing authorization vulnerability in Zyxel ATP series firmware versions from V4.32 through V5.40, USG FLEX series firmware versions from V4.50 through V5.40, USG FLEX 50(W) series firmware versions from V4.16 through V5.40, and USG20(W)-VPN series firmware versions from V4.16 through V5.40 could allow a semi-authenticated attacker\u2014who has completed only the first stage of the two-factor authentication (2FA) process\u2014to view and download the system configuration from an affected device.",
    "published": "2025-10-21T01:57:20.265Z",
    "modified": "2025-10-21T01:57:20.265Z",
    "type": "cve",
    "title": "CVE-2025-9133",
    "source": "Zyxel",
    "references": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-command-injection-and-missing-authorization-vulnerabilities-in-zld-firewalls-10-21-2025",
    "id": "CVE-2025-9133",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "Zyxel ATP series firmware versions from V4.32 through V5.40\nZyxel USG FLEX series firmware versions from V4.50 through V5.40\nZyxel USG FLEX 50(W) series firmware versions from V4.16 through V5.40\nZyxel USG20(W)-VPN series firmware versions from V4.16 through V5.40",
    "sourceHref": "",
    "cvss": {
        "score": 8.1,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "ATP series firmware",
    "version": "versions from V4.32 through V5.40",
    "vendor": "Zyxel",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}