CVE-2025-9133 is a missing authorization vulnerability classified under CWE-862, found in several Zyxel firewall and VPN device firmware versions. The vulnerability arises because the firmware improperly authorizes users who have only completed the first stage of the two-factor authentication process. Normally, two-factor authentication requires two separate verification steps to grant access; however, due to this flaw, an attacker who has passed the initial authentication step but not the second can still access sensitive system functions. Specifically, the attacker can view and download the entire system configuration from the affected device. This configuration data often contains sensitive information such as network topology, firewall rules, VPN credentials, and administrative settings. The affected products include Zyxel ATP series firmware versions 4.32 through 5.40, USG FLEX series firmware versions 4.50 through 5.40, USG FLEX 50(W) series firmware versions 4.16 through 5.40, and USG20(W)-VPN series firmware versions 4.16 through 5.40. The vulnerability has a CVSS v3.1 base score of 8.1, indicating high severity, with an attack vector of network (remote), low attack complexity, requiring low privileges (semi-authenticated), no user interaction, and resulting in high confidentiality and integrity impacts. Although no public exploits have been reported, the ease of exploitation and the sensitivity of the exposed data make this a critical concern. The flaw could be leveraged by attackers to gather intelligence for further attacks, pivot within networks, or disrupt operations by manipulating configurations. Zyxel has not yet released patches, so organizations must rely on compensating controls until updates become available.

For European organizations, the impact of CVE-2025-9133 is significant due to the widespread use of Zyxel firewall and VPN devices in enterprise and government networks. Unauthorized access to system configurations can lead to exposure of sensitive network architecture details, VPN credentials, and security policies, enabling attackers to conduct targeted intrusions, lateral movement, or persistent access. Confidentiality breaches could expose personal data protected under GDPR, leading to regulatory penalties and reputational damage. Integrity compromise of configurations could allow attackers to alter firewall rules or VPN settings, potentially creating backdoors or disabling security controls. The vulnerability's network-based attack vector and low complexity increase the risk of exploitation, especially in environments where semi-authenticated access is possible, such as through compromised user credentials or weak initial authentication stages. This threat is particularly critical for sectors with high security requirements, including finance, healthcare, critical infrastructure, and government agencies across Europe.

1. Immediate mitigation should include restricting network access to Zyxel management interfaces to trusted IP addresses only, using network segmentation and firewall rules to limit exposure. 2. Enforce strong multi-factor authentication policies and monitor for any unusual authentication attempts, especially partial 2FA completions. 3. Implement strict logging and alerting on configuration access attempts to detect potential exploitation early. 4. Disable remote management interfaces if not required or move management access to dedicated, isolated management networks. 5. Regularly audit user accounts and permissions to ensure no unauthorized or semi-authenticated users exist. 6. Apply any available vendor advisories or interim patches as soon as Zyxel releases them. 7. Consider deploying intrusion detection/prevention systems (IDS/IPS) tuned to detect anomalous access patterns on Zyxel devices. 8. Educate administrators about the risk of partial 2FA bypass and encourage vigilance in monitoring device access. These steps go beyond generic advice by focusing on access control hardening, monitoring, and network-level protections tailored to the nature of this vulnerability.