High

Post-authenticated command injection in Zyxel ATP/USG FLEX/USG20(W)-VPN firmware

IdentifiersCVE-2025-8078CWE-78· Improper Neutralization of Special…

CVE-2025-8078 is a post-authentication command injection vulnerability affecting multiple Zyxel firewall product lines: ATP series firmware V4.32 through V5.40, USG FLEX series firmware V4.50 through V5.40, USG FLEX 50(W) series firmware V4.16 through V5.40, and USG20(W)-VPN series firmware V4.16 through V5.40. According to the provided content, an authenticated attacker with administrator privileges can execute operating system commands on the affected device by supplying a crafted string as an argument to a CLI command. The issue is consistent with improper neutralization of special elements in an OS command, allowing attacker-controlled input passed to the CLI handling path to reach underlying system command execution.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows execution of arbitrary OS commands on the affected Zyxel device in the context available to the vulnerable management/CLI component. Because the attacker must already hold administrator privileges, the practical impact is full compromise of the appliance management plane, including the ability to alter device configuration, disrupt security services, manipulate traffic handling, establish persistence, or use the device as a pivot point within the network.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict administrative access to the device CLI and management interfaces to trusted hosts and dedicated management networks only; disable unnecessary remote administration paths; enforce MFA where supported; minimize the number of accounts with administrator privileges; monitor administrative command activity and configuration changes for anomalous behavior; and review logs for signs of crafted CLI input or unexpected command execution. Because exploitation is post-authentication and requires admin rights, reducing exposure of privileged management access materially lowers risk.

Remediation

Patch, then assume compromise.

Upgrade affected Zyxel devices to a fixed firmware release provided by Zyxel. The vulnerable ranges identified in the content are ATP series V4.32-V5.40, USG FLEX series V4.50-V5.40, USG FLEX 50(W) series V4.16-V5.40, and USG20(W)-VPN series V4.16-V5.40; organizations should move to the vendor release that is newer than and fixes V5.40-era affected builds, per Zyxel advisory guidance. Validate that all managed appliances, including standby/HA peers, are updated and that administrative credentials are rotated if compromise is suspected.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Zyxel CommunicationsZldoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app

the hacker newsNews

Oct 27, 2025

⚡ Weekly Recap: WSUS Exploited, LockBit 5.0 Returns, Telegram Backdoor, F5 Breach Widens

A vulnerability listed as trending; no technical details provided in the content.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-8078

NVD

nvd.nist.gov/vuln/detail/CVE-2025-8078

MITRE CWE · CWE-78

Improper Neutralization of Special Elements…

Vendor Advisory

zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-command-injection-and-missing-authorization-vulnerabilities-in-zld-firewalls-10-21-2025