Zyxel released security updates for CVE-2025-13942, a critical UPnP command-injection flaw in multiple 4G/5G CPE, DSL/Ethernet CPE, fiber ONT, and wireless extender models that can allow unauthenticated remote OS command execution. Exploitation is constrained by the need for UPnP and WAN access to be enabled, but Zyxel also patched two high-severity post-authentication command-injection bugs and urged replacement of end-of-life routers as Shadowserver and CISA track widespread exposed devices and active exploitation. #CVE-2025-13942 #Zyxel
Keypoints
- Zyxel released patches for CVE-2025-13942, a critical UPnP command-injection flaw affecting multiple router, CPE, ONT, and extender models.
- Unauthenticated remote OS command execution is possible via malicious UPnP SOAP requests when UPnP and WAN access are enabled.
- Zyxel also patched two high-severity post-authentication command-injection vulnerabilities (CVE-2025-13943 and CVE-2026-1459) that require compromised credentials.
- Shadowserver reports nearly 120,000 Internet-exposed Zyxel devices, including over 76,000 routers, increasing attack surface for default ISP-supplied units.
- Zyxel will not patch certain zero-day flaws in end-of-life routers and strongly recommends replacing legacy models while CISA tracks multiple actively exploited Zyxel vulnerabilities.