Zyxel security advisory for path traversal vulnerability in APs

CVE: CVE-2025-6265
Summary
Zyxel has released patches to address a path traversal vulnerability in the file_upload-cgi CGI program of certain access point (AP) firmware versions. Users are advised to install these patches for optimal protection.

What is the vulnerability?
The path traversal vulnerability in the file_upload-cgi CGI program of certain AP firmware versions could allow an authenticated attacker with administrator privileges to access specific directories and delete files—such as the configuration file—on a vulnerable device. It is important to note that AP management interfaces are typically accessed within a LAN environment, and this attack would only be successful if strong, unique administrator passwords had already been compromised.

What versions are vulnerable—and what should you do?
After a thorough investigation, we identified the vulnerable AP firmware versions and released patches for models still within their vulnerability support period, as shown in the table below. Please note that on-market products not listed in the table remain unaffected.

To read the complete article see:
Zyxel Security Advisory