CVE-2025-8078 is an OS command injection vulnerability classified under CWE-78 found in Zyxel ATP series firmware versions from V4.32 through V5.40, USG FLEX series from V4.50 through V5.40, USG FLEX 50(W) from V4.16 through V5.40, and USG20(W)-VPN series from V4.16 through V5.40. The vulnerability arises from improper neutralization of special elements in OS commands executed via the device's CLI interface. An attacker with authenticated administrator privileges can craft malicious input strings passed as arguments to CLI commands, resulting in arbitrary OS command execution on the device. This can lead to complete device compromise, enabling attackers to manipulate firewall rules, intercept or redirect traffic, disable security features, or pivot into internal networks. The vulnerability requires no user interaction but does require high privilege authentication, limiting exploitation to insiders or attackers who have already compromised credentials. The CVSS v3.1 score is 7.2 (high), reflecting network attack vector, low attack complexity, high privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. No public exploits or patches are currently known, but the vulnerability was reserved in July 2025 and published in October 2025. Zyxel devices are widely deployed in enterprise and government networks, making this a critical concern for network security.

For European organizations, this vulnerability poses a significant risk to network security infrastructure. Exploitation could allow attackers to gain full control over affected Zyxel firewall and security appliances, potentially leading to unauthorized data access, network traffic manipulation, and disruption of critical services. Confidentiality could be compromised through interception or exfiltration of sensitive data passing through these devices. Integrity could be undermined by altering firewall rules or injecting malicious configurations. Availability could be impacted by disabling or crashing the devices, resulting in network outages. Given the widespread use of Zyxel devices in European enterprises, government agencies, and critical infrastructure sectors, successful exploitation could facilitate lateral movement within networks and enable advanced persistent threats. The requirement for administrator-level authentication reduces the likelihood of remote exploitation by external attackers but increases the threat from insider attacks or credential theft scenarios. The absence of known public exploits currently limits immediate risk but also means organizations must act proactively to prevent future exploitation.

1. Immediately audit and restrict administrative access to Zyxel devices, enforcing strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. 2. Monitor device logs and CLI command usage for unusual or unauthorized activity that could indicate exploitation attempts. 3. Segment management interfaces from general network access to limit exposure of administrative portals. 4. Apply vendor firmware updates or patches as soon as they become available to remediate the vulnerability. 5. If patches are delayed, consider temporary compensating controls such as disabling CLI access where feasible or limiting CLI command execution to trusted IP addresses. 6. Conduct regular credential hygiene practices, including password rotation and monitoring for leaked credentials. 7. Implement network intrusion detection systems (NIDS) tuned to detect anomalous command injection patterns or unusual device behavior. 8. Educate administrators on the risks of this vulnerability and the importance of secure management practices. 9. Review and update incident response plans to include scenarios involving compromise of network security appliances.