CVE-2025-1732

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-1732
An improper privilege management vulnerability in the recovery function of the Zyxel USG FLEX H series uOS firmware version V1.31 and earlier could allow an authenticated local attacker with administrator privileges to upload a crafted configuration file and escalate privileges on a vulnerable device.

6.7 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-incorrect-permission-assignment-and-improper-privilege-management-vulnerabilities-in-usg-flex-h-series-firewalls-04-22-2025
Configurations

No configuration.

History

12 Jun 2025, 07:15

Type Values Removed Values Added
Summary (en) An improper privilege management vulnerability in the recovery function of the USG FLEX H series uOS firmware version V1.31 and earlier could allow an authenticated local attacker with administrator privileges to upload a crafted configuration file and escalate privileges on a vulnerable device. (en) An improper privilege management vulnerability in the recovery function of the Zyxel USG FLEX H series uOS firmware version V1.31 and earlier could allow an authenticated local attacker with administrator privileges to upload a crafted configuration file and escalate privileges on a vulnerable device.

23 Apr 2025, 14:08

Type Values Removed Values Added
Summary
  • (es) Una vulnerabilidad de gestión de privilegios inadecuada en la función de recuperación de la versión de firmware uOS V1.31 y anteriores de la serie USG FLEX H podría permitir que un atacante local autenticado con privilegios de administrador cargue un archivo de configuración manipulado y escale privilegios en un dispositivo vulnerable.

22 Apr 2025, 03:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-04-22 03:15

Updated : 2025-06-12 07:15

NVD link : CVE-2025-1732

Mitre link : CVE-2025-1732

CVE.ORG link : CVE-2025-1732

JSON object : View

Products Affected

No product.

CWE
CWE-269

Improper Privilege Management