CVE-2025-11730 is a command injection vulnerability classified under CWE-78, found in Zyxel ATP series and related firmware versions 5.35 through 5.41. The flaw exists in the Dynamic DNS (DDNS) configuration CLI command, which improperly neutralizes special characters in user-supplied input. An authenticated attacker with administrator privileges can exploit this vulnerability by providing a specially crafted string as an argument to the DDNS CLI command, resulting in arbitrary operating system command execution on the device. This can lead to full compromise of the device, allowing attackers to manipulate device configurations, execute malicious payloads, or disrupt network operations. The vulnerability does not require user interaction but does require administrative authentication, limiting exploitation to insiders or attackers who have already gained elevated access. The CVSS v3.1 base score is 7.2, reflecting high severity with network attack vector, low attack complexity, and high impact on confidentiality, integrity, and availability. No patches or exploit code are currently publicly available, but the vulnerability poses a significant risk given the critical role of these devices in network security and management.

The impact of CVE-2025-11730 is substantial for organizations relying on Zyxel ATP, USG FLEX, and related devices for network security and management. Successful exploitation allows attackers to execute arbitrary OS commands, potentially leading to full device compromise. This can result in unauthorized access to sensitive network configurations, interception or manipulation of network traffic, disruption of VPN and firewall services, and potential lateral movement within the network. The confidentiality, integrity, and availability of network infrastructure are at risk, which could lead to data breaches, service outages, and loss of trust. Given these devices are often deployed in enterprise, government, and critical infrastructure environments, the threat extends to national security and critical business operations. The requirement for administrative privileges limits the attack surface but also highlights the risk from insider threats or attackers who have already breached perimeter defenses.

To mitigate CVE-2025-11730, organizations should first verify if their Zyxel devices run affected firmware versions (5.35 through 5.41) and prioritize upgrading to patched versions once available. In the absence of immediate patches, restrict administrative access to trusted personnel and networks using strong authentication methods and network segmentation. Disable or limit the use of the DDNS feature if not required, or restrict CLI access to the DDNS configuration commands. Implement strict monitoring and logging of CLI commands and administrative activities to detect anomalous or suspicious inputs indicative of exploitation attempts. Employ network intrusion detection systems (NIDS) to identify unusual command injection patterns or unexpected device behavior. Regularly audit device configurations and credentials to minimize the risk of privilege escalation. Engage with Zyxel support for any available interim fixes or workarounds and maintain awareness of updates regarding this vulnerability.