CVE-2025-6265 is a path traversal vulnerability categorized under CWE-22, found in the file_upload-cgi CGI program of Zyxel NWA50AX PRO firmware versions 7.10(ACGE.2) and earlier. The vulnerability allows an attacker who has authenticated with administrator privileges to manipulate file paths improperly restricted by the application, enabling access to directories outside the intended upload directory. This can lead to unauthorized deletion of files, including critical configuration files, potentially causing device misconfiguration or denial of service. The flaw stems from insufficient validation and sanitization of user-supplied pathname inputs, allowing traversal sequences (e.g., ../) to escape the restricted directory context. The CVSS 3.1 base score of 7.2 reflects a high severity due to the network attack vector, low attack complexity, requirement for high privileges, and impact on confidentiality, integrity, and availability. Although no exploits have been reported in the wild, the vulnerability poses a significant risk to organizations relying on these devices for network access points. The attacker must have administrator credentials, which limits exploitation to insiders or attackers who have compromised admin accounts. The vulnerability highlights the importance of secure input validation in CGI programs handling file operations on embedded devices.

The vulnerability can severely impact organizations by enabling attackers with administrative access to delete critical files, such as configuration files, on Zyxel NWA50AX PRO devices. This can lead to device misconfiguration, loss of network access, and potential denial of service, disrupting business operations. Confidentiality is at risk as attackers may access restricted directories, potentially exposing sensitive data. Integrity is compromised through unauthorized file deletions or modifications, and availability is affected due to possible device outages or forced reconfiguration. Since the vulnerability requires administrator privileges, the threat is elevated in environments where credential compromise or insider threats are possible. The widespread use of Zyxel access points in enterprise, government, and critical infrastructure networks means that exploitation could have cascading effects on network security and operational continuity. The lack of known exploits currently reduces immediate risk but does not eliminate the potential for future attacks, especially if attackers develop automated tools.

Organizations should immediately audit and restrict administrative access to Zyxel NWA50AX PRO devices, ensuring that only trusted personnel can authenticate with administrator privileges. Network segmentation and access controls should be enforced to limit exposure of management interfaces. Monitoring and logging of administrative actions can help detect suspicious activity. Since no official patches are currently available, organizations should contact Zyxel for firmware updates and apply them promptly once released. As a temporary measure, disable or restrict access to the vulnerable file_upload-cgi CGI program if possible. Employ strong password policies and multi-factor authentication to reduce the risk of credential compromise. Regular backups of device configurations should be maintained to enable rapid recovery in case of file deletion or device misconfiguration. Finally, consider deploying network intrusion detection systems tuned to detect anomalous file access or deletion attempts on these devices.