Zyxel Releases Patches for Privilege Management Vulnerabilities in Firewalls
Zyxel, a leading provider of secure networking solutions, has released critical security patches to address two privilege management vulnerabilities in the USG FLEX H series firewalls.
The flaws, tracked as CVE-2025-1731 and CVE-2025-1732, could allow authenticated local attackers to escalate privileges and gain unauthorized access to sensitive system functions.
Users are strongly urged to apply the updates immediately to mitigate potential risks.
Summary of Vulnerabilities
CVE-2025-1731: Incorrect Permission Assignment
This vulnerability exists in the PostgreSQL command processing of affected uOS firmware versions on the USG FLEX H series.
An attacker with low-level access and a valid session token—particularly if an admin has not logged out—can exploit permission errors to access the device’s Linux shell.
By crafting malicious scripts or modifying system configurations, the attacker could escalate privileges, potentially gaining unauthorized administrator-level access.
CVE-2025-1732: Improper Privilege Management
This flaw impacts the recovery function within specific firmware versions.
An attacker with administrator credentials could upload a specially crafted configuration file, exploiting weaknesses in privilege controls to further escalate their privileges or compromise the device’s integrity.
Affected Products and Patch Guidance
Following a detailed investigation, Zyxel identified only the USG FLEX H series within the support lifecycle as being susceptible.
Patches have been promptly issued. All other Zyxel firewall series are unaffected.
The table below illustrates affected versions and respective patch information:
| Firewall Series | Affected Versions | Patch Availability (CVE-2025-1731) | Patch Availability (CVE-2025-1732) |
| USG FLEX H | uOS V1.20 to V1.31 | uOS V1.31 | uOS V1.32 |
- Update immediately: Zyxel strongly advises customers using the USG FLEX H series with uOS V1.20 to V1.31 to upgrade to the latest firmware (uOS V1.32) to ensure comprehensive protection.
- Monitor: Regularly check for future updates and security advisories on Zyxel’s official support portal.
- Contact Support: For further guidance, users are encouraged to reach out to their local Zyxel service representative or visit the Zyxel Community.
Zyxel extends its gratitude to researchers Alessandro Sgreccia from HackerHood and Marco Ivaldi from HN Security for responsibly disclosing CVE-2025-1731, and to Alessandro Sgreccia for CVE-2025-1732.