Vulnerability Description
An incorrect permission assignment vulnerability in the PostgreSQL commands of the Zyxel USG FLEX H series uOS firmware versions from V1.20 through V1.31 could allow an authenticated local attacker with low privileges to gain access to the Linux shell and escalate their privileges by crafting malicious scripts or modifying system configurations with administrator-level access through a stolen token. Modifying the system configuration is only possible if the administrator has not logged out and the token remains valid.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Zyxel | Uos | >= 1.20, < 1.32 |
| Zyxel | Usg Flex 100H | - |
| Zyxel | Usg Flex 100Hp | - |
| Zyxel | Usg Flex 200H | - |
| Zyxel | Usg Flex 200Hp | - |
| Zyxel | Usg Flex 500H | - |
| Zyxel | Usg Flex 50H | - |
| Zyxel | Usg Flex 50Hp | - |
| Zyxel | Usg Flex 700H | - |
Related Weaknesses (CWE)
References
- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisVendor Advisory
- http://seclists.org/fulldisclosure/2025/Apr/27Mailing List
FAQ
What is CVE-2025-1731?
CVE-2025-1731 is a vulnerability with a CVSS score of 7.8 (HIGH). An incorrect permission assignment vulnerability in the PostgreSQL commands of the Zyxel USG FLEX H series uOS firmware versions from V1.20 through V1.31 could allow an authenticated local attacker wi...
How severe is CVE-2025-1731?
CVE-2025-1731 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-1731?
Check the references section above for vendor advisories and patch information. Affected products include: Zyxel Uos, Zyxel Usg Flex 100H, Zyxel Usg Flex 100Hp, Zyxel Usg Flex 200H, Zyxel Usg Flex 200Hp.