CVE-2025-9133

216.73.216.6

· Published 21/10/2025 03:15 · Modified 21/10/2025 19:31

Labels: CVE-2025-9133 2025-10-21 CVE-2025-9133 CWE-862 [email protected]

Essential information

Published: 21/10/2025 03:15
Modified: 21/10/2025 19:31
Author: —
Creator: —
CVSS: 8.1 HIGH (v3.1)
CISA KEV: No
CWE: —
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVSS metrics

Description

A missing authorization vulnerability in Zyxel ATP series firmware versions from V4.32 through V5.40, USG FLEX series firmware versions from V4.50 through V5.40, USG FLEX 50(W) series firmware versions from V4.16 through V5.40, and USG20(W)-VPN series firmware versions from V4.16 through V5.40 could allow a semi-authenticated attacker—who has completed only the first stage of the two-factor authentication (2FA) process—to view and download the system configuration from an affected device.

NVD status

Status: Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
zyxel / atp	`cpe:2.3:a:zyxel:atp::4.32-5.40::::::*`
zyxel / usg flex	`cpe:2.3:a:zyxel:usg_flex::4.50-5.40::::::*`
zyxel / usg flex 50	`cpe:2.3:a:zyxel:usg_flex_50:w::4.16-5.40::::::*`
zyxel / usg20	`cpe:2.3:a:zyxel:usg20:vpn::4.16-5.40::::::*`