Analysis Summary

A critical unauthenticated remote code execution (RCE) vulnerability has been discovered in Zyxel’s FLEX-H Series security appliances, exposing enterprise networks to significant risk. Disclosed by a security researcher on April 22, 2025, this flaw arises from an architectural misconfiguration in the PostgreSQL database service running on affected devices. Although PostgreSQL is typically restricted to localhost access on port 5432, attackers can exploit SSH tunneling with port forwarding to gain external access to the database. This exposes the database to direct manipulation from remote systems without requiring authentication.

Once an attacker establishes an SSH tunnel, they can execute arbitrary SQL queries due to the complete lack of database authentication. The exploit takes advantage of PostgreSQL’s COPY FROM PROGRAM function—a powerful feature that allows execution of system-level commands. Security researchers demonstrated how this function could be used to retrieve sensitive system information, spawn reverse shells, or execute malicious payloads. Critically, the PostgreSQL service on these devices runs with high privileges, providing attackers with the ability to execute commands that can fully compromise the system.

According to the Researcher, the vulnerability is part of a broader attack chain that can ultimately lead to full root-level access. After initially gaining access as the postgres user, attackers can exploit a race condition to maintain SSH tunnels even with limited privileges, steal authentication tokens from administrators, and upload malicious files using the device’s recovery features. Further exploitation through a crafted SetUID binary allows attackers to escalate privileges to root, giving them full control over the affected system. These steps combine to create a highly dangerous and sophisticated attack pathway.

Zyxel has assigned the vulnerabilities CVE-2025-1731 and CVE-2025-1732, and released security patches on April 14, 2025. Organizations using FLEX-H Series devices are urged to treat this as an emergency. Immediate mitigation steps include updating firmware, enforcing strict network segmentation to limit SSH and management access, monitoring for unusual SSH or PostgreSQL activity, and reviewing system logs for signs of compromise. The incident underscores the need for robust database access controls and authentication mechanisms, even for services meant to be accessible only internally. Rapid exploitation is expected given the simplicity and power of the attack vector.

Impact

• Sensitive Information Theft
• Code Execution
• Gain Access

Indicators of Compromise

CVE

• CVE-2025-1731

• CVE-2025-1732

Affected Vendors

Remediation

• Apply the latest security patches released by Zyxel for all affected FLEX-H Series devices (CVE-2025-1731 and CVE-2025-1732).
• Implement network segmentation to isolate and restrict access to management interfaces and the PostgreSQL service.
• Keep a close watch on logs for suspicious SSH connection attempts, especially those involving port forwarding or tunneling.
• Check for unusual SQL queries or database activity, particularly any use of COPY FROM PROGRAM or access attempts from non-local sources.
• Review and secure recovery management features, and eliminate any SetUID binaries that could allow privilege escalation.
• Ensure strong authentication mechanisms are in place for all administrative access, and never leave critical services unauthenticated.
• Maintain regular backups and ensure your incident response team is prepared to react in case of exploitation