CVE-2025-9133HIGH 8.1EPSS p91.7%

CVE-2025-9133CVE-2025-9133

Description

A missing authorization vulnerability in Zyxel ATP series firmware versions from V4.32 through V5.40, USG FLEX series firmware versions from V4.50 through V5.40, USG FLEX 50(W) series firmware versions from V4.16 through V5.40, and USG20(W)-VPN series firmware versions from V4.16 through V5.40 could allow a semi-authenticated attacker—who has completed only the first stage of the two-factor authentication (2FA) process—to view and download the system configuration from an affected device.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS5.46% probability of exploitation · percentile 91.7% · 2026-06-19T12:03:05Z
Published2025-10-21
Last modified2025-10-28

Underlying weaknesses· 1

CWE-862

References

  1. https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-command-injection-and-missing-authorization-vulnerabilities-in-zld-firewalls-10-21-2025

1

TypeTargetConfidenceTier
WeaknessMissing Authorizationcwe-8620%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
Zyxel Multiple Products Use of Hard-Coded Credentials Vulnerability
CVE
Zyxel Multiple Firewalls OS Command Injection Vulnerability
CVE
CVE-2025-8693
CVE
CVE-2025-13943
CVE
CVE-2025-0890
CVE
Zyxel Multiple Firewalls Buffer Overflow Vulnerability
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.