CVE-2025-6265 is a path traversal vulnerability identified in the Zyxel NWA50AX PRO firmware, specifically in the file_upload-cgi CGI program. This vulnerability affects firmware versions 7.10(ACGE.2) and earlier. The flaw arises due to improper limitation of pathname inputs, categorized under CWE-22, allowing an authenticated attacker with administrator privileges to traverse directories beyond the intended restricted scope. Exploiting this vulnerability enables the attacker to access sensitive directories and delete critical files, including the device's configuration file. The vulnerability is remotely exploitable over the network (AV:N) with low attack complexity (AC:L), but requires high privileges (PR:H) and no user interaction (UI:N). The impact is significant, affecting confidentiality, integrity, and availability (C:H/I:H/A:H) of the device. Although no known exploits are currently reported in the wild, the high CVSS score of 7.2 indicates a serious risk if exploited. The vulnerability could lead to device misconfiguration, denial of service, or unauthorized data manipulation, severely impacting network operations relying on the affected Zyxel access points.

For European organizations, this vulnerability poses a substantial risk, especially for enterprises and service providers using Zyxel NWA50AX PRO access points in their network infrastructure. Successful exploitation could lead to deletion of configuration files, resulting in network outages or degraded wireless service availability. This could disrupt business operations, particularly in sectors relying heavily on wireless connectivity such as finance, healthcare, and manufacturing. Additionally, the compromise of device integrity could facilitate further lateral movement within the network, potentially exposing sensitive data or critical systems. Given the administrative privileges required, insider threats or compromised administrator accounts could be leveraged to exploit this vulnerability. The impact extends to compliance risks under regulations like GDPR if personal data confidentiality is compromised due to network disruptions or unauthorized access.

Organizations should immediately verify the firmware version of their Zyxel NWA50AX PRO devices and prioritize upgrading to a patched version once available from Zyxel. In the absence of a patch, restrict administrative access to the device management interface through network segmentation and strict access control lists (ACLs), limiting it to trusted IP addresses only. Employ multi-factor authentication (MFA) for all administrator accounts to reduce the risk of credential compromise. Regularly audit and monitor device logs for unusual file deletion or access patterns indicative of exploitation attempts. Implement network intrusion detection systems (NIDS) with signatures or behavioral rules targeting suspicious CGI requests. Additionally, maintain offline backups of device configurations to enable rapid restoration in case of file deletion. Finally, educate administrators on secure management practices and the risks associated with elevated privileges.