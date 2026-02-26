Zyxel patched seven flaws across multiple devices, including critical CVE-2025-13942 (9.8/10)

Command injection via UPnP could allow remote OS command execution if WAN access and UPnP are enabled

Around 120,000 Zyxel devices are internet-exposed

Zyxel has confirmed it recently patched half a dozen vulnerabilities, including a critical-severity issue which allowed threat actors to execute arbitrary commands remotely.

In a security advisory, Zyxel detailed patching a command injection vulnerability in the UPnP function of certain 4G LTE/5G NR CPE, DSL/Ethernet CPE, Fiber ONTs, and Wireless Extenders firmware versions. This vulnerability is tracked as CVE-2025-13942, and was given a severity score of 9.8/10 (critical).

By sending specially crafted UPnP SOAP requests, unauthenticated attackers can execute OS commands on a vulnerable endpoint, Zyxel said, but stressed that certain conditions must be met, first.

Patching the flaws

“It is important to note that WAN access is disabled by default on these devices, and the attack can be carried out remotely only if both WAN access and the vulnerable UPnP function have been enabled,” it explained.

Multiple products are affected, each with their own firmware versions. To find out which version your device should be updated to, make sure to read the full list here. In total, Zyxel fixed seven flaws, including two post-authentication command injection vulnerabilities, and four null-pointer dereference vulnerabilities.

So far, there is no evidence that any of these flaws are being abused in the wild. Zyxel did not mention if it observed any attacks, and US CISA has not yet added any of these to its catalog of exploited vulnerabilities (KEV).

According to the nonprofit security organization Shadowserver Foundation, there are currently approximately 120,000 internet-exposed Zyxel devices, including 76,000 routers, so the attack surface is rather large. We don’t know how many of these are vulnerable, though.

Hackers love attacking Zyxel products because their widely deployed routers, firewalls, and VPN devices often expose internet-facing management interfaces and have historically suffered from critical, easily exploitable vulnerabilities.

