Security researcher Alessandro Sgreccia (aka “rainpwn”) has revealed a set of critical vulnerabilities in Zyxel’s USG FLEX-H firewall series that enable remote code execution (RCE) and privilege escalation—without authentication.
The findings, affecting models including the FLEX 100H and FLEX 700H, threaten the security of organizations relying on these devices for network defense.
How the Exploit Works
The root of the flaw lies in the misconfiguration of a third-party component: PostgreSQL. Although the database itself was up-to-date and secure, Zyxel’s implementation left it exposed to attack due to improper access controls:
.png
)
- PostgreSQL Service Exposure: The database runs on localhost:5432, theoretically shielded from remote attacks. However, if an attacker gains even momentary access (e.g., via a valid SSH session), they can establish an SSH tunnel to forward port 5432, exposing the database externally.
- No Authentication: Critically, the PostgreSQL instance was not password-protected. Attackers could connect as the ‘postgres’ user and run arbitrary SQL commands.
By tunneling the database port and connecting via psql, the researcher could list database tables and, more alarmingly, abuse the COPY FROM PROGRAM function.
This PostgreSQL feature allows the execution of system commands directly from SQL, intended for legitimate data import tasks but ripe for abuse here.
For example:
COPY read_files FROM PROGRAM 'cat /etc/passwd';This command reads sensitive files. More dangerously, it’s possible to spawn a reverse shell, providing the attacker with interactive access to the firewall’s operating system under the ‘postgres’ user context.
Privilege Escalation: From Postgres to Root
The RCE flaw was compounded by additional misconfigurations:
- Log File Exposure: Attackers can read /tmp/webcgi.log, which contains active admin authentication tokens. With these, an attacker can impersonate an admin via HTTP or WebSocket APIs and escalate their privileges.
- SetUID Privilege Escalation: The system mishandled SetUID binaries. By injecting a statically compiled SetUID shell (via the device’s Recovery Manager ZIP mechanism), the attacker could gain full root access after a device reboot.
Sample SetUID exploit code:
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main() {
setuid(0); setgid(0); system("/bin/sh"); return 0;
}The vulnerabilities have been assigned CVEs CVE-2025-1731 and CVE-2025-1732. The impact is extensive:
- Remote attackers can execute arbitrary commands with no authentication.
- Attackers can escalate privileges to root, persist on the device, steal VPN credentials, or completely compromise the network perimeter.
All organizations using affected Zyxel FLEX-H firewalls (especially USG FLEX 100H and 700H, firmware 1.31) should consider themselves at risk. The exploit is practical for threat actors with any level of credential, even a mere VPN user, due to race conditions in authentication.
This disclosure highlights the systemic risk posed by architectural and configuration flaws, even when third-party components are up-to-date.
The Zyxel RCE flaw is a stark reminder that security is a process, not a product—a motto echoed by researcher rainpwn and expert Marco Ivaldi, who contributed to the analysis.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
 has revealed a set of critical vulnerabilities in Zyxel’s USG FLEX-H firewall series.){kind=link}