Affected Vendors This Week
- Zyxel — 2 CVEs (High)
- OpenWrt Project — 2 CVEs (High)
Overview
This week brought four high-severity vulnerabilities affecting two major vendors. All four issues carry significant risk and warrant immediate attention from network teams managing affected appliances or custom firmware deployments.
Zyxel — 2 High-Severity Issues
Zyxel's ATP and USG FLEX product lines face two separate authentication and authorization flaws across firmware versions V4.32–V5.40 (ATP series) and V4.50–V5.40 (USG FLEX series).
CVE-2025-9133 (CVSS 8.1) is the more critical of the two: a missing authorization vulnerability that could allow unauthenticated attackers to access restricted administrative functions or sensitive data. This is a classic pre-authentication bypass and should be treated as priority one.
CVE-2025-8078 (CVSS 7.2) requires authentication but allows post-login command injection—meaning a legitimate (or compromised) user account could escalate to arbitrary code execution on the device.
Action: Check your Zyxel ATP and USG FLEX appliances immediately. If running affected firmware versions, prioritize patching to V5.41 or later. For now, restrict management interface access to trusted networks via firewall rules or VPN if patches are delayed.
OpenWrt Project — 2 High-Severity Kernel & Daemon Issues
OpenWrt users running versions prior to 24.10.4 face two local privilege escalation risks:
CVE-2025-62525 (CVSS 7.9) involves the ltq-ptm driver, which allows local users to read and write arbitrary kernel memory via ioctl calls. This is a direct path to full system compromise for any attacker with shell access.
CVE-2025-62526 (CVSS 7.9) is a heap buffer overflow in ubusd (the OpenWrt RPC daemon), triggered during event registration parsing. Successful exploitation can lead to code execution in the context of the ubusd process.
Action: Upgrade to OpenWrt 24.10.4 or later as soon as possible. These vulnerabilities are particularly dangerous in multi-tenant or open-access environments. If you cannot patch immediately, restrict local SSH access and disable unnecessary RPC services where feasible.