Zyxel NWA50AX Pro WiFi 6 Access Points Found Vulnerable to Critical Security Flaws

Listen to this Post

Featured Image
A Growing Threat in Enterprise Wi-Fi: Unauthenticated Access and File Deletion Bugs

Zyxel’s NWA50AX Pro WiFi 6 access points, widely used in corporate and industrial environments, have come under serious scrutiny after researchers uncovered multiple high-risk vulnerabilities. These flaws, tied to how the device handles CGI endpoints and file operations, could enable attackers to delete system files or bypass authentication entirely. Leveraging Lighttpd server misconfigurations and unprotected functions in the device’s firmware, the vulnerabilities demonstrate how shared code across product lines can escalate risk on a broader scale.

The exposure primarily stems from a misconfigured auth_zyxel.conf file and flaws in the mod_auth_zyxel module, both responsible for CGI authentication. Researchers found that 28 CGI endpoints, including critical paths like /cgi-bin/file_upload-cgi, could be accessed without credentials by exploiting weak session cookie validation and poor path handling. The most severe flaw—tracked as CVE-2025-XXXXX—allows an attacker to delete arbitrary files on the system using path traversal techniques and a crafted POST request. Notably, this exploit successfully removed a web UI image file in lab tests.

Even more concerning is the reuse of vulnerable code across other Zyxel devices, including network-attached storage (NAS) systems. This duplication suggests that even previously patched issues may still exist in other product lines, such as the flaw addressed in CVE-2024-29974. With 80% of tested devices sharing this faulty logic, the impact could be extensive. While Zyxel has acknowledged the issue and plans a firmware update by July 15, security teams are urged to take proactive steps, including disabling remote admin access and implementing web firewalls.

What Undercode Say:

The Risk Behind Lighttpd Misconfiguration

At the heart of the vulnerability lies Lighttpd, a lightweight web server often embedded in IoT and networking devices. Its mod_auth_zyxel module failed to enforce proper session validation, especially for endpoints exposed in auth_zyxel.conf. A closer look at the file shows an intentional bypass for any path containing /cgi-bin/, essentially white-listing all critical CGI scripts by default. This configuration gap opened a backdoor for unauthenticated access—an unacceptable risk in enterprise-grade networking gear.

The Danger of Path Traversal Vulnerabilities

The standout issue—arbitrary file deletion—relies on the classic path traversal technique, which manipulates file paths using ../ sequences to navigate directories. By targeting file_upload-cgi and misusing the file_path parameter, an attacker can cause the system to call unlink() on any chosen file. The vulnerability’s severity increases with its simplicity: No authentication is required, and the crafted POST payload is relatively easy to construct.

Insecure Defaults Expose Broader Flaws

Security researchers emphasized that this

Shared Codebase: One Bug, Many Devices

Perhaps most troubling is the shared logic between Zyxel’s WiFi access points and its NAS devices. Code reuse can improve development efficiency, but when a flaw exists in shared modules, its impact multiplies. This was the case here, as the file_upload-cgi binary echoed logic from an earlier vulnerability patched in CVE-2024-29974. Unfortunately, that patch did not resolve the issue across all devices, meaning some models remained vulnerable months later.

Cookie Validation Bypasses Invite Impersonation

The researchers also noted a medium-risk flaw in the cookie-based authentication system. The so-called authtok cookies could be easily spoofed, allowing unauthorized users to impersonate administrators or users with elevated privileges. When combined with the exposed CGI scripts, this creates a potent vector for lateral movement within compromised networks.

A Disconnected Security Patch Timeline

Zyxel’s patch timeline has also raised eyebrows. Although the company has committed to releasing updates by July 15, 2025, some researchers argue that such a long lead time leaves users vulnerable for too long. Given that exploits were demonstrated in a controlled environment, it’s only a matter of time before threat actors develop weaponized versions for use in real-world attacks.

Recommended Action for Security Teams

Network admins and security engineers are advised to disable remote administration features immediately and to implement temporary protections using web application firewalls (WAFs). In addition, teams should monitor CGI access logs for unusual patterns, especially involving the file_upload-cgi endpoint. Network segmentation should also be enforced to isolate IoT and non-critical devices from sensitive systems.

Broader Implications for IoT Security

The Zyxel vulnerability exposes deeper issues in the IoT and enterprise networking ecosystem. Many manufacturers still prioritize performance and cost over security, often recycling legacy code with known flaws. This incident should be a wake-up call for vendors and buyers alike: Security must be foundational, not an afterthought.

🔍 Fact Checker Results:

✅ CVE-2025-XXXXX vulnerability confirmed by independent researchers

✅ Code reuse across NAS and AP devices validated through binary analysis
❌ No evidence yet of real-world exploits, but proof-of-concept exists

📊 Prediction:

Given the severity and accessibility of these flaws, threat actors will likely weaponize them within weeks, especially in automated botnets targeting exposed Zyxel access points. Expect to see increased scanning activity and attempted intrusions by late summer 2025. Firmware patching and layered network defenses will be critical to mitigating impact. 🔐💥

References:

Reported By: cyberpress.org
Extra Source Hub:
https://www.github.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram