CVE-2025-8078
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-21

Last updated on: 2025-10-28

Assigner: Zyxel Corporation

Description
A post-authentication command injection vulnerability in Zyxel ATP series firmware versions from V4.32 through V5.40, USG FLEX series firmware versions from V4.50 through V5.40, USG FLEX 50(W) series firmware versions from V4.16 through V5.40, and USG20(W)-VPN series firmware versions from V4.16 through V5.40 could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on the affected device by passing a crafted string as an argument to a CLI command.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-21
Last Modified
2025-10-28
Generated
2026-06-16
AI Q&A
2025-10-21
EPSS Evaluated
2026-06-15
NVD
CVE-2025-8078
Affected Vendors & Products
Showing 19 associated CPEs
Vendor Product Version / Range
zyxel zld From 4.32 (inc) to 5.41 (exc)
zyxel atp100 *
zyxel atp100w *
zyxel atp200 *
zyxel atp500 *
zyxel atp700 *
zyxel atp800 *
zyxel zld From 4.50 (inc) to 5.41 (exc)
zyxel usg_flex_100 *
zyxel usg_flex_100ax *
zyxel usg_flex_100w *
zyxel usg_flex_200 *
zyxel usg_flex_50 *
zyxel usg_flex_500 *
zyxel usg_flex_50ax *
zyxel usg_flex_700 *
zyxel zld From 4.16 (inc) to 5.41 (exc)
zyxel usg_20w-vpn *
zyxel usg_flex_50w *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a post-authentication command injection in certain Zyxel firewall firmware versions. An attacker who is authenticated with administrator privileges can execute arbitrary operating system commands on the affected device by passing a specially crafted string as an argument to a command-line interface (CLI) command. [1]

Impact Analysis

If exploited, this vulnerability allows an attacker with administrator access to execute arbitrary OS commands on the device, potentially leading to full control over the device, disruption of services, data compromise, or further network penetration. [1]

Mitigation Strategies

Users should promptly update the affected Zyxel devices to ZLD firmware version 5.41, which contains patches addressing this vulnerability. Additionally, contacting Zyxel support or visiting Zyxel’s community resources for further assistance is recommended. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-8078. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart