CVE-2025-1731

An incorrect permission assignment vulnerability in the PostgreSQL commands of the Zyxel USG FLEX H series uOS firmware versions from V1.20 through V1.31 could allow an authenticated local attacker with low privileges to gain access to the Linux shell and escalate their privileges by crafting malicious scripts or modifying system configurations with administrator-level access through a stolen token. Modifying the system configuration is only possible if the administrator has not logged out and the token remains valid.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-incorrect-permission-assignment-and-improper-privilege-management-vulnerabilities-in-usg-flex-h-series-firewalls-04-22-2025	Vendor Advisory
http://seclists.org/fulldisclosure/2025/Apr/27	Mailing List

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:zyxel:uos:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:zyxel:usg_flex_100h:-:::::::*
	cpe:2.3:h:zyxel:usg_flex_100hp:-:::::::*
	cpe:2.3:h:zyxel:usg_flex_200h:-:::::::*
	cpe:2.3:h:zyxel:usg_flex_200hp:-:::::::*
	cpe:2.3:h:zyxel:usg_flex_500h:-:::::::*
	cpe:2.3:h:zyxel:usg_flex_50h:-:::::::*
	cpe:2.3:h:zyxel:usg_flex_50hp:-:::::::*
	cpe:2.3:h:zyxel:usg_flex_700h:-:::::::*

History

No history.

Information

Published : 2025-04-22 03:15

Updated : 2025-10-30 17:55

NVD link : CVE-2025-1731

Mitre link : CVE-2025-1731

CVE.ORG link : CVE-2025-1731

JSON object : View

Products Affected

zyxel

usg_flex_500h
usg_flex_50hp
usg_flex_50h
usg_flex_700h
usg_flex_100h
usg_flex_200h
usg_flex_200hp
uos
usg_flex_100hp

CWE

CWE-732

Incorrect Permission Assignment for Critical Resource

{"id": "CVE-2025-1731", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@zyxel.com.tw", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2025-04-22T03:15:21.177", "references": [{"url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-incorrect-permission-assignment-and-improper-privilege-management-vulnerabilities-in-usg-flex-h-series-firewalls-04-22-2025", "tags": ["Vendor Advisory"], "source": "security@zyxel.com.tw"}, {"url": "http://seclists.org/fulldisclosure/2025/Apr/27", "tags": ["Mailing List"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@zyxel.com.tw", "description": [{"lang": "en", "value": "CWE-732"}]}], "descriptions": [{"lang": "en", "value": "An incorrect permission assignment vulnerability in the PostgreSQL commands of the Zyxel USG FLEX H series uOS firmware versions from V1.20 through V1.31 could allow an authenticated local attacker with low privileges to gain access to the Linux shell and escalate their privileges by crafting malicious scripts or modifying system configurations with administrator-level access through a stolen token. Modifying the system configuration is only possible if the administrator has not logged out and the token remains valid."}, {"lang": "es", "value": "Una vulnerabilidad de asignaci\u00f3n incorrecta de permisos en los comandos PostgreSQL de las versiones de firmware uOS de la serie USG FLEX H, de la V1.20 a la V1.31, podr\u00eda permitir que un atacante local autenticado con privilegios bajos acceda al shell de Linux y aumente sus privilegios mediante la creaci\u00f3n de scripts maliciosos o la modificaci\u00f3n de la configuraci\u00f3n del sistema con acceso de administrador mediante un token robado. La modificaci\u00f3n de la configuraci\u00f3n del sistema solo es posible si el administrador no ha cerrado sesi\u00f3n y el token sigue siendo v\u00e1lido."}], "lastModified": "2025-10-30T17:55:46.857", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:zyxel:uos:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E4CCD46D-8AAF-4ABC-B9CF-AE1ED1F45D48", "versionEndExcluding": "1.32", "versionStartIncluding": "1.20"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:zyxel:usg_flex_100h:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "ED28D5ED-B21A-4CD6-947E-9C21EA801B7D"}, {"criteria": "cpe:2.3:h:zyxel:usg_flex_100hp:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "ACCFC4B1-37DD-4BF7-86A9-5F0A9A2C1D07"}, {"criteria": "cpe:2.3:h:zyxel:usg_flex_200h:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "09D15ECD-4942-407A-A62E-9785568C6B78"}, {"criteria": "cpe:2.3:h:zyxel:usg_flex_200hp:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "FD7E9028-1ECB-4D88-84D8-CFC589B429AE"}, {"criteria": "cpe:2.3:h:zyxel:usg_flex_500h:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "DE57BCA4-8631-460A-BFE3-BB765E5D009F"}, {"criteria": "cpe:2.3:h:zyxel:usg_flex_50h:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "875DC0B8-0189-4952-9FD8-00970F4C72F5"}, {"criteria": "cpe:2.3:h:zyxel:usg_flex_50hp:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "F3697878-4927-4381-BA26-3FD9A08D7661"}, {"criteria": "cpe:2.3:h:zyxel:usg_flex_700h:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "8832743A-99FA-417E-BCE1-4BF7D4CEF9BE"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "security@zyxel.com.tw"}