Recent research has uncovered significant security vulnerabilities in the Zyxel USG FLEX H Series firewalls, which are designed for high-performance network environments. These vulnerabilities, identified in the Zyxel uOS Linux-based operating system, allow local users with shell access to escalate privileges to root. The vulnerabilities have been collectively assigned CVE-2025-1731. The issues stem from incorrect permission assignments and improper privilege management, particularly involving the custom setuid root binary program /usr/sbin/fermion-wrapper.
The vulnerabilities include a privilege escalation vector related to the Recovery Manager functionality and a filesystem issue where the /tmp directory lacks the sticky bit. This oversight simplifies exploitation of the fermion-wrapper vulnerability, allowing attackers to overwrite arbitrary files or escalate privileges from a low-privileged user to root. These vulnerabilities affect Zyxel USG FLEX 100H and 200H models with specific firmware versions, though other models may also be at risk.
Zyxel has released firmware version 1.32 to address these vulnerabilities, following a coordinated disclosure process. Despite objections from researchers, Zyxel has used CVE-2025-1731 as the identifier for these issues. The company has also stated that the lack of a sticky bit in the /tmp directory is considered an implementation flaw rather than a security vulnerability.
The primary threat involves a privilege escalation vulnerability in the Zyxel USG FLEX H Series firewalls, where local users can exploit the fermion-wrapper program to gain root access. This vulnerability allows attackers to create writable files at arbitrary locations in the filesystem, potentially leading to unauthorized access and control over the device. The lack of a sticky bit in the /tmp directory further exacerbates this issue by allowing attackers to replace files owned by other users.
Another significant vulnerability is related to the Recovery Manager functionality, which provides an additional vector for privilege escalation. These vulnerabilities are particularly concerning for industries relying on high-performance network security solutions, as they could lead to unauthorized access and potential data breaches.
Clients using Zyxel USG FLEX H Series firewalls may face operational disruptions due to unauthorized access and control over their network devices. This could result in data breaches, financial losses, and damage to their reputation. The vulnerabilities also pose compliance challenges, as unauthorized access could lead to regulatory audits or penalties for failing to protect sensitive data adequately.
Compliance implications are significant, as organizations must ensure their network security measures align with relevant regulations. Failure to address these vulnerabilities could result in non-compliance with industry standards and potential legal consequences.
To mitigate the identified risks, clients should take the following actions:
By implementing these measures, clients can reduce the risk of unauthorized access and maintain compliance with relevant regulations. It is crucial to remain vigilant and proactive in addressing potential security threats.
1898 & Co. is actively addressing the current threat landscape by offering tailored security solutions designed to mitigate emerging threats like those affecting Zyxel USG FLEX H Series firewalls. Our services include comprehensive vulnerability assessments, penetration testing, and security audits to identify and address potential weaknesses in client networks.
We have updated our security protocols to incorporate the latest threat intelligence and best practices, ensuring our clients receive cutting-edge protection against evolving cyber threats. Our team collaborates with industry partners and government agencies to stay informed about the latest developments in cybersecurity and provide timely updates to our clients.
Our ongoing research efforts focus on identifying new vulnerabilities and developing effective mitigation strategies. We have successfully assisted clients in implementing security measures that align with industry standards, reducing their risk exposure and enhancing their overall security posture.