CVE-2025-8078
BaseFortify
Publication date: 2025-10-21
Last updated on: 2025-10-28
Assigner: Zyxel Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zyxel | zld | From 4.32 (inc) to 5.41 (exc) |
| zyxel | atp100 | * |
| zyxel | atp100w | * |
| zyxel | atp200 | * |
| zyxel | atp500 | * |
| zyxel | atp700 | * |
| zyxel | atp800 | * |
| zyxel | zld | From 4.50 (inc) to 5.41 (exc) |
| zyxel | usg_flex_100 | * |
| zyxel | usg_flex_100ax | * |
| zyxel | usg_flex_100w | * |
| zyxel | usg_flex_200 | * |
| zyxel | usg_flex_50 | * |
| zyxel | usg_flex_500 | * |
| zyxel | usg_flex_50ax | * |
| zyxel | usg_flex_700 | * |
| zyxel | zld | From 4.16 (inc) to 5.41 (exc) |
| zyxel | usg_20w-vpn | * |
| zyxel | usg_flex_50w | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a post-authentication command injection in certain Zyxel firewall firmware versions. An attacker who is authenticated with administrator privileges can execute arbitrary operating system commands on the affected device by passing a specially crafted string as an argument to a command-line interface (CLI) command. [1]
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker with administrator access to execute arbitrary OS commands on the device, potentially leading to full control over the device, disruption of services, data compromise, or further network penetration. [1]
What immediate steps should I take to mitigate this vulnerability?
Users should promptly update the affected Zyxel devices to ZLD firmware version 5.41, which contains patches addressing this vulnerability. Additionally, contacting Zyxel support or visiting Zyxelβs community resources for further assistance is recommended. [1]