Incorrect Permission Assignment Vulnerability in Zyxel USG FLEX H Series Firmware
CVE-2025-1731

7.8HIGH

Key Information:

Vendor
Zyxel
Status
Usg Flex H Series Uos Firmware
Vendor
CVE Published:
22 April 2025

Badges

📈 Score: 163👾 Exploit Exists📰 News Worthy

What is CVE-2025-1731?

CVE-2025-1731 is a vulnerability found in the Zyxel USG FLEX H series firmware, specifically within versions 1.20 to 1.31. The firmware is designed to manage security functions for networks, including firewall capabilities and the overall protection of sensitive information. This vulnerability centers on an incorrect permission assignment within PostgreSQL commands, which could allow an authenticated local attacker with minimal privileges to exploit this weakness. If successfully executed, the attacker could gain unauthorized access to the Linux shell, enabling them to execute malicious scripts or alter critical system configurations, provided the administrator remains logged in and the session token is valid. This could lead to significant security breaches in an organization’s network.

Technical Details

The vulnerability resides in the handling of PostgreSQL commands within the firmware of Zyxel's USG FLEX H series devices. The issue allows low-privileged, authenticated local users to escalate their privileges by leveraging token-based access. Attackers can create malicious scripts that take advantage of this flaw, which compromises the device's integrity and security. This unauthorized access hinges on the condition that the network administrator has not logged out, meaning they maintain an active session, allowing the stolen token to provide elevated permissions.

Potential impact of CVE-2025-1731

  1. Unauthorized System Access: Attackers could exploit this vulnerability to gain administrator-level access to the network devices, potentially leading to unauthorized control over critical security functions.

  2. Modification of Sensitive Configurations: With access to the Linux shell, an attacker could alter system configurations, compromising the firewall and network protection capabilities, thus exposing the organization to various security threats.

  3. Increased Risk of Data Breaches: The ability to execute malicious scripts can facilitate further exploitation opportunities, allowing unauthorized access to sensitive data stored within the network. This increases the risk of data breaches and compliance violations.

Affected Version(s)

USG FLEX H series uOS firmware from V1.20 through V1.31

News Articles

favicon imageGBHackers News

Zyxel RCE Flaw Lets Attackers Run Commands Without Authentication

Security researcher Alessandro Sgreccia (aka "rainpwn") has revealed a set of critical vulnerabilities in Zyxel’s USG FLEX-H firewall series.

3 weeks ago

favicon imageTechNadu

Critical Zyxel Firewall Flaws Could Compromise Entire Systems - TechNadu

Improper file handling and relaxed permissions in Zyxel USG FLEX H series firewalls could allow local privilege escalation and compromise entire systems.

3 weeks ago

favicon imageCybersecurityNews

Zyxel Patches Privilege Management Vulnerabilities in USG FLEX H Series Firewalls

Zyxel Networks has released critical security patches to address two high-severity vulnerabilities in its USG FLEX H series firewalls that could potentially allow attackers to escalate privileges and gain unauthorized access to affected devices. 

3 weeks ago

References

https://www.zyxel.com/global/en/support/security-advisori...
vendor-advisory

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by GBHackers News

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-1731 : Incorrect Permission Assignment Vulnerability in Zyxel USG FLEX H Series Firmware | SecurityVulnerability.io