CVE-2025-11730 is a command injection vulnerability classified under CWE-78, discovered in Zyxel ATP series firmware and related USG FLEX and USG VPN series firmware versions 5.35 through 5.41. The flaw exists in the Dynamic DNS (DDNS) configuration CLI command, which improperly neutralizes special characters in user-supplied input. An authenticated attacker with administrator privileges can exploit this by providing a specially crafted string as an argument to the DDNS CLI command, resulting in arbitrary OS command execution on the device. This can lead to full compromise of the affected device, allowing attackers to manipulate device configurations, exfiltrate sensitive data, disrupt network traffic, or pivot to internal networks. The vulnerability requires no user interaction beyond authentication but does require elevated privileges, limiting exploitation to insiders or attackers who have already compromised administrative credentials. The CVSS v3.1 base score of 7.2 indicates a high severity due to network attack vector, low attack complexity, and high impact on confidentiality, integrity, and availability. Although no exploits are publicly known, the vulnerability poses a significant risk given the critical role of these devices in enterprise and service provider networks. The lack of available patches at the time of reporting necessitates immediate risk mitigation through access restrictions and monitoring.

For European organizations, this vulnerability poses a significant threat to network security and operational continuity. Zyxel ATP and USG series devices are commonly deployed as firewalls, VPN gateways, and unified threat management appliances in enterprises, government agencies, and critical infrastructure sectors. Successful exploitation could allow attackers to gain persistent control over these devices, leading to data breaches, network disruptions, and lateral movement within internal networks. Confidentiality is at risk due to potential data exfiltration; integrity is compromised through unauthorized configuration changes; and availability may be impacted by denial-of-service conditions or device manipulation. The requirement for administrator privileges reduces the risk from external attackers but increases the threat from insider threats or credential compromise. Given the strategic importance of network perimeter devices, the impact on European organizations could be severe, especially in sectors like finance, energy, healthcare, and public administration.

1. Immediately restrict administrative access to Zyxel ATP, USG FLEX, and USG VPN devices to trusted personnel and secure management networks. 2. Implement multi-factor authentication (MFA) for all administrative accounts to reduce the risk of credential compromise. 3. Monitor CLI command usage and logs for unusual or unauthorized DDNS configuration commands indicative of exploitation attempts. 4. Segment management interfaces from general network access to limit exposure. 5. Regularly audit administrative accounts and remove or disable unused or default accounts. 6. Once Zyxel releases firmware patches addressing CVE-2025-11730, prioritize prompt testing and deployment of these updates. 7. Employ network intrusion detection systems (NIDS) tuned to detect anomalous command injection patterns or unusual traffic from these devices. 8. Educate administrators about the risks of command injection vulnerabilities and the importance of secure credential management. 9. Consider temporary compensating controls such as disabling DDNS features if not required until patches are available.