CVE-2025-1731 and CVE-2025-1732 impacts Zyxel Firewalls

CVE-2025-1731 and CVE-2025-1732 impacts Zyxel Firewalls

1

Zyxel has disclosed two critical vulnerabilities, CVE-2025-1731 and CVE-2025-1732, affecting its USG FLEX H series firewalls. These vulnerabilities could allow authenticated local attackers to escalate privileges and compromise the security of affected devices.

1. CVE-2025-1731: Incorrect Permission Assignment

  • Description:
    This vulnerability exists in the PostgreSQL command processing of certain firmware versions in the USG FLEX H series.
  • An attacker with low-level access and a valid session token (e.g., if an administrator has not logged out) can exploit permission assignment errors to:
    • Gain access to the Linux shell.
    • Escalate privileges by crafting malicious scripts or modifying system configurations.
  • This could lead to administrator-level access, enabling unauthorized control over the device.
  • Severity: High.
  • Exploitation Requirements:
  • Local access with low-level privileges.
  • A valid session token (e.g., stolen or active due to an admin not logging out).

2. CVE-2025-1732: Improper Privilege Management

  • Description:
    This vulnerability impacts the recovery function of the affected firmware.
  • An attacker with administrator credentials can upload a crafted configuration file to exploit weaknesses in privilege controls.
  • This allows the attacker to further escalate privileges or compromise the device’s integrity.
  • Severity: High.
  • Exploitation Requirements:
  • Administrator-level access.
  • Ability to upload configuration files.

Affected Products

  • Zyxel USG FLEX H Series Firewalls running the following firmware versions:
  • uOS V1.20 to V1.31.

Mitigation Strategies

1. Apply Security Patches

  • Zyxel has released patches to address these vulnerabilities.
  • CVE-2025-1731: Fixed in uOS V1.31.
  • CVE-2025-1732: Fixed in uOS V1.32.
  • Users are strongly advised to update their devices to the latest firmware version (uOS V1.32) immediately.

2. Restrict Access

  • Limit access to the firewall’s management interface to trusted IP addresses.
  • Enforce multi-factor authentication (MFA) for all administrative accounts.

3. Monitor for Suspicious Activity

  • Regularly audit system logs for unusual activity, such as unauthorized shell access or configuration changes.
  • Use intrusion detection systems (IDS) to flag potential exploitation attempts.

Acknowledgments

Zyxel credited Alessandro Sgreccia from HackerHood and Marco Ivaldi from HN Security for responsibly disclosing these vulnerabilities.

Tags:

1 Comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.