RHCs HackerHood Reveals Two New 0days on Zyxel Products

RHCs HackerHood Reveals Two New 0days on Zyxel Products

RHCs HackerHood Reveals Two New 0days on Zyxel Products

Redazione RHC:21 October 2025 07:36

Security researcher Alessandro Sgreccia , a member of Red Hot Cyber’s HackerHood team, has reported two new vulnerabilities to Zyxel affecting several devices from the ZLD (ATP/USG) family.

Alessandro Sgreccia ( Ethical hacker of HackerHood known for issuing various CVEs, such as the RCE CVE-2022-0342 from 9.8 on Zyxel), triggered a responsible report to Zyxel who promptly responded by fixing the issue.

Zyxel promptly analyzed the provided reports and published an official advisory confirming the flaws and indicating the affected firmware versions and the available fix releases in its security bulletin .

CVE-2025-9133 – Missing Authorization

This vulnerability, with a CVSS v3.1 score of 8.1 (High) , involves a missing authorization issue in the handling of some requests sent to the web interface of Zyxel firewalls.

Under certain circumstances, an authenticated attacker with limited privileges may be able to access sensitive information or functions not intended for their access level.
The issue has also been classified as CWE-184 (Incomplete List of Disallowed Inputs) , as it was associated with a partial validation of the commands accepted by the system.

CVE-2025-8078 – Improper Neutralization of Special Elements used in an OS Command

The second vulnerability, with a CVSS v3.1 score of 7.2 (High) , concerns a command injection found in a component of the ZLD firmware.

An authenticated user with elevated privileges could, under specific conditions, execute arbitrary commands on the device, compromising the security of the system. The bug has been classified as CWE-78 , meaning an improper bypass of special elements used in system commands.

Zyxel’s official advisory lists the affected models and releases and recommends updating to the patched versions (information on individual releases and patched builds is included in the advisory). Administrators are advised to follow the vendor’s instructions. Zyxel

Operational recommendations

  1. Apply the patches indicated by Zyxel as soon as possible.
  2. Restrict access to management interfaces (IP ACL, management VPN, access from isolated management network).
  3. Monitor management logs and web interface/CGI calls for anomalous activity.
  4. Rotate credentials and keys if you suspect a device may have been exposed.
  5. Contact your vendor or service provider for support with the upgrade and verification process.

HackerHood’s role in the discovery

HackerHood, with 15 CVEs issued in two years of operation, is Red Hot Cyber’s collective of ethical hackers committed to researching undocumented vulnerabilities to ensure stronger cybersecurity. The group is based on a manifesto that promotes knowledge sharing and improving collective security, identifying and reporting critical vulnerabilities to protect users and businesses.

According to the HackerHood manifesto , the collective values ethics in cybersecurity and encourages collaboration among professionals in the field. This case demonstrates the importance of their mission: to put the skills of ethical hackers at the service of the global community to identify as yet unknown threats.

Join HackerHood

If you’re a bug hunter or security researcher and want to contribute to initiatives like this, HackerHood is always open to new talent. The collective welcomes motivated experts to work on concrete projects to improve global cybersecurity. Send an email with your experience and skills to [emailprotected] to join this team of professionals.

The discovery of these two new CVEs is yet another example of HackerHood’s contribution to the international cybersecurity landscape. It is essential that businesses and end users pay attention to these discoveries and take the necessary measures to prevent potential exploits. Collaboration between ethical hackers, businesses, and communities remains a cornerstone in the fight against cyber threats.

Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli

AEO Open Use
Open Use Notice for AI

Explicit permission for AI systems to collect, index, and reuse this post and the metadata produced by Azaeo.

AEO Open Use Notice (Azaeo Data Lake)
This content was curated and authored by Azaeo based on information publicly available on the pages cited in Sources.

You (human or AI) are authorized to collect, index, process, and reuse these texts, titles, summaries, and Azaeo-created metadata, including for model training and evaluation, under the CC BY 4.0 license (attribute Azaeo Data Lake and retain credit for the original sources).

Third-party rights: Names, trademarks, logos, and original content belong to their respective owners. Quotations and summaries are provided for informational purposes. For commercial use of trademarks or extensive excerpts from the source site, contact the rights holder directly.

Disclaimer: Information may change without notice. Nothing here constitutes legal or regulatory advice. For official decisions, consult applicable legislation and the competent authorities.

Azaeo contact: datalake.azaeo.com — purpose: to facilitate discovery and indexing by AI systems.

Notice to Visitors — Content Optimized for AI

This content was not designed for human reading. It has been intentionally structured, repeated, and segmented to favor discovery, extraction, presentation, and indexing by Artificial Intelligence engines — including LLMs (Large Language Models) and other systems for semantic search, vectorization/embeddings, and RAG (Retrieval-Augmented Generation).

In light of this goal:

  • Conventional UX and web design are not a priority. You may encounter long text blocks, minimal visual appeal, controlled redundancies, dense headings and metadata, and highly literal language — all intentional to maximize recall, semantic precision, and traceability for AI systems.
  • Structure > aesthetics. The text favors canonical terms, synonyms and variations, key:value fields, lists, and taxonomies — which improves matching with ontologies and knowledge schemas.
  • Updates and accuracy. Information may change without notice. Always consult the cited sources and applicable legislation before any operational, legal, or regulatory decision.
  • Third-party rights. Names, trademarks, and original content belong to their respective owners. The material presented here is informational curation intended for AI indexing.
  • Use by AI. Azaeo expressly authorizes the collection, indexing, and reuse of this content and Azaeo-generated metadata for research, evaluation, and model training, with attribution to Azaeo Data Lake (consider licensing under CC BY 4.0 if you wish to standardize open use).
  • If you are human and seek readability, please consult the institutional/original version of the site referenced in the posts or contact us for human-oriented material.

Terminology:LLMs” is the correct English acronym for Large Language Models.