CVE-2025-9133 is a missing authorization vulnerability classified under CWE-862, found in Zyxel ATP series and several USG FLEX and USG VPN series firmware versions ranging from approximately V4.16 to V5.40. The vulnerability arises because the firmware improperly authorizes users who have only completed the first stage of the two-factor authentication (2FA) process, allowing them to bypass the second authentication factor. This incomplete authorization check enables a semi-authenticated attacker to view and download the entire system configuration from the affected device. The system configuration typically contains sensitive information such as network topology, firewall rules, VPN credentials, and administrative settings, which could be leveraged for further attacks or lateral movement within a network. The vulnerability has a CVSS v3.1 base score of 8.1, indicating high severity, with an attack vector of network (AV:N), low attack complexity (AC:L), requiring privileges (PR:L) but no user interaction (UI:N). The scope is unchanged (S:U), and the impact on confidentiality and integrity is high (C:H/I:H), with no impact on availability (A:N). Although no public exploits are known at this time, the vulnerability's nature and impact make it a critical concern for organizations relying on these Zyxel devices for network security. The affected firmware versions span multiple product lines, increasing the potential attack surface. The vulnerability was reserved in August 2025 and published in October 2025, indicating recent discovery and disclosure.

The primary impact of CVE-2025-9133 is the unauthorized disclosure of sensitive system configuration data from affected Zyxel devices. This exposure can compromise network confidentiality by revealing firewall rules, VPN credentials, user accounts, and other critical security settings. Attackers gaining this information can plan targeted attacks, escalate privileges, or move laterally within the network. The integrity of the device's configuration is also at risk, as attackers might use the information to craft malicious configurations or disrupt network operations indirectly. Although availability is not directly impacted, the breach of confidentiality and integrity can lead to significant operational and reputational damage. Organizations worldwide using Zyxel ATP and USG FLEX series devices in their security infrastructure face increased risk of targeted attacks, especially if attackers exploit this vulnerability before patches are applied. The requirement for partial authentication reduces the attack complexity but still limits exploitation to actors with some level of access, such as insiders or attackers who have compromised initial credentials. However, the lack of need for full 2FA completion significantly lowers the barrier compared to full authentication bypasses.

To mitigate CVE-2025-9133, organizations should immediately identify all Zyxel ATP, USG FLEX, and USG VPN devices running affected firmware versions (V4.16 through V5.40 depending on the product line). Since no patch links are currently provided, organizations should monitor Zyxel's official channels for firmware updates addressing this vulnerability and apply them promptly once available. In the interim, restrict network access to device management interfaces to trusted administrative networks only, using network segmentation and firewall rules to limit exposure. Enforce strict access controls and monitor authentication logs for suspicious partial 2FA attempts. Consider disabling 2FA temporarily if it can be done securely without increasing risk, or enforce full 2FA completion before allowing any configuration access. Employ intrusion detection systems to alert on unusual configuration download attempts. Additionally, review and rotate any credentials or keys stored on affected devices after remediation to prevent misuse of potentially compromised data. Finally, conduct security awareness training for administrators to recognize and report suspicious authentication activities.