CVE Alert: CVE-2025-8078 – Zyxel – ATP series firmware

Risk verdict

High risk: a network-accessible post-auth command-injection requires administrator privileges and allows OS command execution on affected Zyxel devices, with high potential impact to availability, integrity and confidentiality.

Why this matters

Exploitation enables an admin-level attacker to run arbitrary OS commands, potentially disabling security controls, exfiltrating data, or pivoting within the network. The vulnerability spans several Zyxel appliance families used as perimeters or VPN gateways in many organisations, increasing the blast radius for exposed management interfaces.

Most likely attack path

An attacker with legitimate administrator access can send a crafted argument to a CLI command via the device’s network-facing management interface to trigger OS commands. Low attack complexity and network access mean loot can be gained without user interaction, and the unchanged scope implies impact remains on the compromised device rather than broader software boundaries.

Who is most exposed

Enterprise and mid‑market deployments using Zyxel ATP, USG FLEX and related series with internet-facing or broadly accessible management CLI are most at risk, especially where admin credentials are shared or poorly rotated.

Detection ideas

• Look for unusual OS commands executed via management CLI after admin login.
• Alerts for crafted or anomalous arguments submitted to known CLI commands.
• Post-authentication activity deviating from normal admin tasks; unexpected process spawning.
• Changes to critical device processes or high-privilege operations shortly after login.
• Correlation between admin logins and rapid config or policy changes.

Mitigation and prioritisation

• Update to vendor-released firmware that contains the fix; verify against Zyxel advisory.
• Restrict management CLI access to trusted networks and admin workstations; disable remote management where possible.
• Enforce strong admin authentication and rotate credentials; enable MFA if available.
• Enable detailed CLI command auditing and SIEM alerts for suspicious OS commands.
• Plan and test the patch as a high-priority change; if KEV is confirmed or EPSS ≥ 0.5, treat as priority 1.