A critical vulnerability in Zyxel’s FLEX-H Series devices that enables attackers to execute arbitrary database queries and gain remote code execution capabilities without requiring authentication.
The flaw, discovered by a researcher “rainpwn” and officially disclosed on April 22, 2025, exposes these enterprise-grade security appliances to potentially devastating attacks.
The vulnerability stems from an architectural misconfiguration in the PostgreSQL database service running on affected devices. While PostgreSQL is normally restricted to localhost access on port 5432, attackers can bypass this limitation through SSH tunneling.
.png
)
“An SSH tunnel with port forwarding exposes the database service to external access, creating a direct communication channel with the database from a remote system,” explains the researcher.
This vulnerability is particularly dangerous because database access requires no authentication. Once an attacker establishes the SSH tunnel, they can freely execute arbitrary SQL queries against the PostgreSQL instance.
Zyxel RCE Vulnerability
The exploit leverages PostgreSQL’s powerful but dangerous COPY FROM PROGRAM function, which allows the execution of system commands. Security researchers demonstrated this capability with the following code:
This simple query retrieves sensitive system information, but attackers can easily modify it to spawn reverse shells or execute other malicious commands.
The PostgreSQL instance runs with sufficient privileges to enable system-level access.
The vulnerability is part of a more extensive attack chain that can lead to complete system compromise. After gaining initial access as the postgres user, attackers can:
- Exploit a race condition to establish SSH tunnels even with user-level privileges
- Steal authentication tokens from logged-in administrators
- Upload malicious files through the system’s recovery management features
- Achieve root-level access using a specially crafted SetUID binary
“By leveraging this capability, I was able to achieve remote code execution (RCE), successfully executing system commands to retrieve sensitive system information,” the researcher said.
Mitigation
Zyxel has assigned CVE-2025-1731 and CVE-2025-1732 to these vulnerabilities and released security patches on April 14, 2025.
Affected organizations should immediately:
- Update firmware on all Zyxel FLEX-H Series devices to the latest version
- Implement network segmentation to restrict management access
- Monitor for suspicious connection attempts on SSH ports
- Check logs for unusual PostgreSQL activity
The vulnerability highlights the critical importance of proper database access controls and authentication mechanisms, even for services intended to be accessible only locally.
Organizations using Zyxel FLEX-H devices should treat this update as an emergency security measure, as exploitation tools are likely to appear rapidly following public disclosure.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
