Zyxel security advisory for incorrect permission assignment and improper privilege...
Zyxel Employee
Zyxel security advisory for incorrect permission assignment and improper privilege management vulnerabilities in USG FLEX H series firewalls
CVEs: CVE-2025-1731, CVE-2025-1732
Summary
Zyxel has released patches to address incorrect permission assignment and improper privilege management vulnerabilities in the USG FLEX H series firewalls. Users are advised to install them for optimal protection.
What are the vulnerabilities?
CVE-2025-1731
The incorrect permission assignment vulnerability in the PostgreSQL commands of certain USG FLEX H series uOS firmware versions could allow an authenticated local attacker with low privileges to gain access to the Linux shell and escalate their privileges by crafting malicious scripts or modifying system configurations with administrator-level access through a stolen token. Note that modifying the system configuration is only possible if the administrator has not logged out and the token remains valid.
CVE-2025-1732
The improper privilege management vulnerability in the recovery function of certain USG FLEX H series uOS firmware versions could allow an authenticated local attacker with administrator privileges to upload a crafted configuration file and escalate privileges on a vulnerable device.
What versions are vulnerable—and what should you do?
After a thorough investigation, we’ve identified only one vulnerable series of products within the vulnerability support period and released patches to address the vulnerabilities, as shown in the table below. Please note that all on-market products not listed in the table are unaffected.
Affected version | |||
|---|---|---|---|
Firewall series | CVE-2025-1731 | CVE-2025-1732 | Patch availability |
USG FLEX H | uOS V1.20 to V1.31 | uOS V1.31 | uOS V1.32 |
Got a question?
Please contact your local service rep or visit Zyxel’s Community for further information or assistance.
Acknowledgment
Thanks to the following security researchers and consultancies:
- Alessandro Sgreccia from HackerHood and Marco Ivaldi from HN Security for CVE-2025-1731
- Alessandro Sgreccia from HackerHood for CVE-2025-1732
Revision history
2025-4-22: Initial release
Categories
- All Categories
- 429 Beta Program
- 2.6K Nebula
- 163 Nebula Ideas
- 112 Nebula Status and Incidents
- 6K Security
- 350 USG FLEX H Series
- 291 Security Ideas
- 1.5K Switch
- 78 Switch Ideas
- 1.2K Wireless
- 42 Wireless Ideas
- 6.6K Consumer Product
- 261 Service & License
- 406 News and Release
- 87 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.8K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 82 Security Highlight