CVE-2025-11730 in ATP
Summary
by MITRE • 02/05/2026
A post‑authentication command injection vulnerability in the Dynamic DNS (DDNS) configuration CLI command in Zyxel ATP series firmware versions from V5.35 through V5.41, USG FLEX series firmware versions from V5.35 through V5.41, USG FLEX 50(W) series firmware versions from V5.35 through V5.41, and USG20(W)-VPN series firmware versions from V5.35 through V5.41 could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on an affected device by supplying a specially crafted string as an argument to the CLI command.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/05/2026
This vulnerability represents a critical post-authentication command injection flaw in Zyxel network security appliances that affects multiple product lines including ATP series, USG FLEX series, USG FLEX 50(W) series, and USG20(W)-VPN series. The vulnerability exists within the Dynamic DNS configuration command line interface functionality where the system fails to properly sanitize user input before executing operating system commands. Attackers with administrator credentials can exploit this weakness by crafting malicious input strings that bypass input validation mechanisms and directly inject operating system commands into the vulnerable CLI interface. This represents a classic command injection vulnerability that allows arbitrary code execution at the operating system level, providing attackers with extensive control over the affected devices.
The technical implementation of this vulnerability stems from inadequate input validation and sanitization within the CLI command processing logic. When administrators configure Dynamic DNS settings through the command line interface, the firmware does not properly escape or validate special characters that could be interpreted as command delimiters or operators. This allows an authenticated attacker to inject malicious payloads that get executed with the privileges of the device's operating system. The vulnerability is particularly dangerous because it operates post-authentication, meaning that an attacker must first obtain administrator credentials but does not require any additional privileges beyond what is already granted to the authenticated user. This aligns with CWE-77 and CWE-88 categories related to command injection and improper input sanitization. The attack vector follows typical command injection patterns where input is directly concatenated into system commands without proper sanitization.
The operational impact of this vulnerability is severe and multifaceted for organizations using affected Zyxel devices. Successful exploitation enables attackers to execute arbitrary operating system commands, potentially leading to complete device compromise, data exfiltration, and lateral movement within the network. Attackers could install backdoors, modify firewall rules, access internal network resources, or use the compromised device as a pivot point for attacking other systems. The vulnerability affects a broad range of Zyxel security appliances that are commonly deployed in enterprise and small office environments, making it particularly concerning for organizations that rely on these devices for network security. The affected firmware versions span multiple product series, indicating a widespread issue that could impact numerous network security implementations across various organizational sizes. This vulnerability directly maps to ATT&CK technique T1059.001 for command and scripting interpreter and T1068 for exploit for privilege escalation, as it allows an authenticated user to escalate their privileges to full operating system access.
Organizations should immediately implement multiple layers of mitigation strategies to address this vulnerability. The primary recommendation is to update all affected devices to the latest firmware versions that contain patches for this command injection vulnerability. Administrators should also implement strict access controls and limit administrator privileges to only those users who require them, reducing the attack surface for this specific vulnerability. Network segmentation and monitoring should be enhanced to detect unusual command execution patterns that might indicate exploitation attempts. Additionally, implementing web application firewalls and intrusion detection systems can help identify and block malicious input patterns before they can be processed by the vulnerable CLI interface. Regular security audits and penetration testing should be conducted to verify that the mitigation measures are effective and to identify any additional vulnerabilities that might exist within the network infrastructure. The vulnerability demonstrates the critical importance of proper input validation and sanitization in network security appliances, particularly in command line interfaces that execute system-level operations.