CVE Alert: CVE-2025-9133 – Zyxel – ATP series firmware
CVE-2025-9133
A missing authorization vulnerability in Zyxel ATP series firmware versions from V4.32 through V5.40, USG FLEX series firmware versions from V4.50 through V5.40, USG FLEX 50(W) series firmware versions from V4.16 through V5.40, and USG20(W)-VPN series firmware versions from V4.16 through V5.40 could allow a semi-authenticated attacker—who has completed only the first stage of the two-factor authentication (2FA) process—to view and download the system configuration from an affected device.
AI Summary Analysis
Risk verdict
High risk of exposure of device configuration via a missing‑authorization flaw, observable even with only partial 2FA completed; no explicit exploitation indicators are provided.
Why this matters
Configuration data typically contains network topology, access controls, VPN settings and secrets, enabling follow-on compromise or lateral movement. The flaw being exploitable remotely with low privileges increases the chance of rapid impact, including policy manipulation or credential leakage, with exposure risk heightened for organisations storing sensitive configurations on shared devices.
Most likely attack path
An attacker can reach the management surface over the network and, after completing the first stage of 2FA, retrieve the system configuration without further user interaction. With low privileges, they can access read functionality but may leverage the obtained config to escalate access or pivot to adjacent assets. The unrestricted scope implies exposure of critical settings but not necessarily destructive integrity changes.
Who is most exposed
Organisations relying on remote management kick‑off for firewall/VPN gateways in SMB/SME environments are typically at highest risk, especially where management interfaces are exposed to the internet or connected VPNs.
Detection ideas
- Sudden bursts of config export/download activity from management endpoints
- Access events from accounts with partial or reduced authentication stage
- Reads of sensitive configuration files or endpoints without admin‑level prompts
- Unusual source IPs accessing admin interfaces
- Large or repetitive read requests to config data
Mitigation and prioritisation
- Apply patched firmware across affected ranges as a priority; verify version constraints.
- Enforce full MFA for all admin sessions and restrict config export to authorised roles only.
- Isolate or limit WAN management access; implement IP allowlists or VPN access with MFA.
- Review and reduce exposure of management interfaces; disable unused admin features where possible.
- Monitor config export events and implement alerts for large or anomalous downloads; perform regular config backups and rotation.
Support Our Work
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.
