CVE-2025-9133

CWE-862 — Missing Authorization3 documents3 sources

Severity

8.1HIGH

EPSS

0.1%

top 82.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zyxel ZLD Zyxel ATP Series Firmware Zyxel Usg20(w)-vpn Series Firmware +2 more

Timeline

PublishedOct 21

Description

A missing authorization vulnerability in Zyxel ATP series firmware versions from V4.32 through V5.40, USG FLEX series firmware versions from V4.50 through V5.40, USG FLEX 50(W) series firmware versions from V4.16 through V5.40, and USG20(W)-VPN series firmware versions from V4.16 through V5.40 could allow a semi-authenticated attacker—who has completed only the first stage of the two-factor authentication (2FA) process—to view and download the system configuration from an affected device.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages5 packages

▶CVEListV5zyxel/usg_flex_series_firmwareversions from V4.50 through V5.40

▶CVEListV5zyxel/usg_flex_50(w)_series_firmwareversions from V4.16 through V5.40

▶CVEListV5zyxel/usg20(w)-vpn_series_firmwareversions from V4.16 through V5.40

▶CVEListV5zyxel/atp_series_firmwareversions from V4.32 through V5.40

▶NVDzyxel/zld4.32 — 5.41+2

🔴Vulnerability Details

CVEList

CVE-2025-9133: A missing authorization vulnerability in Zyxel ATP series firmware versions from V4↗2025-10-21

▶

GHSA

GHSA-x59x-qc82-4w4p: A missing authorization vulnerability in Zyxel ATP series firmware versions from V4↗2025-10-21

▶