CVE-2025-6265 is a path traversal vulnerability identified in the Zyxel NWA50AX PRO firmware, specifically affecting versions 7.10(ACGE.2) and earlier. The vulnerability exists within the file_upload-cgi CGI program, which is responsible for handling file uploads on the device. Due to improper limitation of pathname inputs (CWE-22), an authenticated attacker with administrator privileges can exploit this flaw to traverse directories beyond the intended restricted paths. This allows the attacker to access and delete critical files on the device, including configuration files. The vulnerability has a CVSS v3.1 base score of 7.2, indicating a high severity level. The vector metrics specify that the attack can be performed remotely over the network (AV:N), requires low attack complexity (AC:L), but does require high privileges (PR:H) and no user interaction (UI:N). The impact affects confidentiality, integrity, and availability (C:H/I:H/A:H), meaning an attacker can compromise sensitive information, alter or delete files, and disrupt device functionality. No public exploits are currently known in the wild, and no patches have been linked yet. The vulnerability is significant because the Zyxel NWA50AX PRO is a wireless access point commonly used in enterprise and SMB environments, and the ability to delete configuration files could lead to denial of service or persistent compromise if the attacker modifies device settings or firmware.

For European organizations, this vulnerability poses a substantial risk, especially for those relying on Zyxel NWA50AX PRO devices within their network infrastructure. The ability for an authenticated administrator-level attacker to delete configuration files can lead to network outages, loss of device configuration, and potential exposure of sensitive network settings. This could disrupt business operations, particularly in sectors where continuous network availability is critical, such as finance, healthcare, and manufacturing. Furthermore, compromised devices could be used as footholds for lateral movement within corporate networks, increasing the risk of broader compromise. Given that the vulnerability requires administrator privileges, insider threats or compromised administrator credentials are the primary risk vectors. However, the low attack complexity and remote network accessibility increase the likelihood of exploitation once credentials are obtained. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits rapidly after public disclosure.

Organizations should immediately verify if their Zyxel NWA50AX PRO devices are running firmware version 7.10(ACGE.2) or earlier. Until an official patch is released, the following specific mitigations are recommended: 1) Restrict administrative access to the device to trusted networks and IP addresses using firewall rules and access control lists to minimize exposure. 2) Enforce strong, unique administrator credentials and implement multi-factor authentication (MFA) where possible to reduce the risk of credential compromise. 3) Monitor device logs for unusual file access or deletion activities, particularly related to the file_upload-cgi interface. 4) Disable or restrict the file_upload-cgi functionality if it is not essential for operations. 5) Regularly back up device configurations to enable rapid restoration in case of file deletion or tampering. 6) Maintain network segmentation to limit the impact of a compromised device. 7) Stay alert for official firmware updates from Zyxel and apply patches promptly once available. These targeted actions go beyond generic advice by focusing on access restrictions, monitoring, and operational controls specific to the vulnerability's exploitation vector.