Main Vulnerability Database SB2025071523

SB2025071523 - Path traversal in Zyxel APs

Published: July 15, 2025

Security Bulletin ID SB2025071523

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Path traversal (CVE-ID: CVE-2025-6265)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in the file_upload-cgi CGI program. A remote administrator can access specific directories and delete files.

Remediation

Install update from vendor's website.

References

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-path-traversal-vulnerability-in-aps-07-15-2025

Vulnerable Software

NWA220AX-6E: 7.10(ACCO.1)
WAX620D-6E: 7.10(ACCN.1)
WAX610D: 7.10(ABTE.1)
WAX510D: 7.10(ABTF.1)
WAX630S: 7.10(ABZD.1)
WAX300H: 7.10(ACHF.1)
WAC6103D-I: 6.28(AAXH.3)
WAC5302D-Sv2: 6.25(ABVZ.9)
WAC500H: 6.70(ABWA.6)
NWA1123AC PRO: 6.28(ABHD.3)
WAX640S-6E: 7.10(ACCM.1)
NWA210AX: 7.10(ABTD.1)
WAX650S: 7.10(ABRM.1)
NWA50AX: 7.10(ABYW.1)
NWA50AX PRO: 7.10(ACGE.2)
WBE660S: 7.10(ACGG.2)
NWA110AX: 7.10(ABTG.1)
NWA55AXE: 7.10(ABZL.1)
WBE530: 7.10(ACLE.2)
NWA90AX PRO: 7.10(ACGF.2)
NWA90AX: 7.10(ACCV.1)
WAX655E: 7.10(ACDO.1)
NWA130BE: 7.10(ACIL.2)

SB2025071523 - Path traversal in Zyxel APs

Breakdown by Severity

Description

Remediation

References

Please verify you're human