Zyxel security advisory for path traversal vulnerability in APs

Zyxel has released patches to address a path traversal vulnerability in the file_upload-cgi CGI program of certain access point (AP) firmware versions. Users are advised to install these patches for optimal protection.

Summary

CVE: CVE-2025-6265
The path traversal vulnerability in the file_upload-cgi CGI program of certain AP firmware versions could allow an authenticated attacker with administrator privileges to access specific directories and delete files—such as the configuration file—on a vulnerable device. It is important to note that AP management interfaces are typically accessed within a LAN environment, and this attack would only be successful if strong, unique administrator passwords had already been compromised.

What versions are vulnerable—and what should you do?

After a thorough investigation, we identified the vulnerable AP firmware versions and released patches for models still within their vulnerability support period. Please note that on-market products not listed remain unaffected.

To read the complete article see:
Zyxel Security Advisory
Found via: Canadian Cyber Centre