Security researcher Alessandro Sgreccia (aka “rainpwn”) has disclosed critical vulnerabilities in Zyxel’s USG FLEX-H firewall series, enabling unauthenticated attackers to execute remote code (RCE) and escalate privileges. The flaws, tracked as CVE-2025-1731 and CVE-2025-1732, affect models including the FLEX 100H and 700H, posing significant risks to organizations using these devices for perimeter defense1.
Technical Breakdown of the Exploits
The vulnerabilities stem from a PostgreSQL misconfiguration in Zyxel’s firewall firmware, allowing attackers to bypass authentication entirely. CVE-2025-1731 enables RCE through crafted database queries, while CVE-2025-1732 facilitates privilege escalation via SetUID binaries or leaked tokens in log files. Researchers demonstrated a proof-of-concept (PoC) exploit chaining these flaws to gain root access without credentials2.
This follows a pattern of critical Zyxel vulnerabilities, including CVE-2024-40891 (a telnet-based command injection flaw) and CVE-2023-28771 (exploited to deploy Mirai botnets via IKEv2 packets)3, 5. GreyNoise observed mass exploitation attempts targeting these weaknesses, with up to 1,500 devices exposed in recent campaigns1.
Mitigation and Detection Strategies
Zyxel has not yet released patches for the USG FLEX-H series as of April 2025. Organizations should immediately:
- Disable PostgreSQL services if unused
- Monitor for anomalous telnet/PostgreSQL traffic
- Restrict firewall management interfaces to trusted IPs
Network defenders should prioritize reviewing Zyxel device logs for signs of exploitation, particularly unexpected database queries or privilege changes. The CVSS 9.8 score reflects the low attack complexity and high impact of these flaws2.
Historical Context and Ongoing Risks
Zyxel devices have been frequent targets due to their widespread enterprise use and history of critical vulnerabilities. The 2023 CVE-2023-33012 in VPN series devices allowed similar pre-auth RCE via config file manipulation4. This persistence of high-severity flaws underscores the importance of:
| Vulnerability | Attack Vector | Patch Status |
|---|---|---|
| CVE-2025-1731/1732 | PostgreSQL RCE → Root Escalation | Unpatched |
| CVE-2024-40891 | Telnet Command Injection | Partial |
| CVE-2023-28771 | IKEv2 Packet Exploitation | Patched in 5.36+ |
The lack of available patches for some critical flaws leaves many organizations vulnerable. Security teams should consider temporary network segmentation for affected devices until updates are available.
Conclusion
These Zyxel vulnerabilities represent a clear and present danger to network security, particularly given their pre-authentication nature. The research by Sgreccia and independent confirmation by GreyNoise/VulnCheck highlight the urgent need for firmware updates and defensive measures. Organizations using affected devices should treat this as an active threat and implement compensatory controls immediately.
References
- “Attackers exploit zero-day vulnerability in Zyxel CPE devices,” Cybersecurity Dive, 29 Jan. 2025.
- “Zyxel RCE Flaw Lets Attackers Run Commands Without Authentication,” GBHackers, 24 Apr. 2025.
- “Zyxel warns of critical OS command injection flaw in routers,” BleepingComputer, 3 Sep. 2024.
- “Zyxel VPN Series Pre-auth Remote Command Execution,” SSD Disclosure, 25 Jan. 2024.
- “Hackers exploit critical Zyxel firewall flaw in ongoing attacks,” BleepingComputer, 31 May 2023.
