CVE-2025-1731 and CVE-2025-1732 impacts Zyxel Firewalls

PravinKarthik

1 year ago

Description:
This vulnerability exists in the PostgreSQL command processing of certain firmware versions in the USG FLEX H series.
An attacker with low-level access and a valid session token (e.g., if an administrator has not logged out) can exploit permission assignment errors to:
- Gain access to the Linux shell.
- Escalate privileges by crafting malicious scripts or modifying system configurations.
This could lead to administrator-level access, enabling unauthorized control over the device.
Severity: High.
Exploitation Requirements:
Local access with low-level privileges.
A valid session token (e.g., stolen or active due to an admin not logging out).

Description:
This vulnerability impacts the recovery function of the affected firmware.
An attacker with administrator credentials can upload a crafted configuration file to exploit weaknesses in privilege controls.
This allows the attacker to further escalate privileges or compromise the device’s integrity.
Severity: High.
Exploitation Requirements:
Administrator-level access.
Ability to upload configuration files.

Zyxel has released patches to address these vulnerabilities.
CVE-2025-1731: Fixed in uOS V1.31.
CVE-2025-1732: Fixed in uOS V1.32.
Users are strongly advised to update their devices to the latest firmware version (uOS V1.32) immediately.

Limit access to the firewall’s management interface to trusted IP addresses.
Enforce multi-factor authentication (MFA) for all administrative accounts.

Regularly audit system logs for unusual activity, such as unauthorized shell access or configuration changes.
Use intrusion detection systems (IDS) to flag potential exploitation attempts.

Zyxel credited Alessandro Sgreccia from HackerHood and Marco Ivaldi from HN Security for responsibly disclosing these vulnerabilities.