- Zyxel fixed seven flaws on multiple devices, including critical CVE-2025-13942 (9.8/10)
- Command injection over UPnP could allow remote execution of operating system commands if WAN and UPnP access are enabled
- Around 120,000 Zyxel devices are exposed to the Internet
Zyxel has confirmed that it recently fixed half a dozen vulnerabilities, including a critical issue that allowed threat actors to execute arbitrary commands remotely.
In a security advisory, Zyxel detailed how to patch a command injection vulnerability in the UPnP feature of certain firmware versions of 4G LTE/5G NR CPE, DSL/Ethernet CPE, Fiber ONT, and Wireless Extenders. This vulnerability is tracked as CVE-2025-13942 and was assigned a severity score of 9.8/10 (critical).
By sending specially crafted UPnP SOAP requests, unauthenticated attackers can execute operating system commands on a vulnerable endpoint, Zyxel said, but emphasized that certain conditions must be met first.
Patching the defects
“It is important to note that WAN access is disabled by default on these devices, and the attack can be carried out remotely only if both WAN access and the vulnerable UPnP feature have been enabled,” he explained.
Several products are affected, each with its own firmware version. To find out which version your device should update to, be sure to read the full list here. In total, Zyxel fixed seven flaws, including two post-authentication command injection vulnerabilities and four null pointer dereference vulnerabilities.
So far, there is no evidence that any of these defects are being abused in nature. Zyxel did not mention whether it observed any attacks, and the US CISA has not yet added any of them to its catalog of exploited vulnerabilities (KEV).
According to the nonprofit security organization Shadowserver Foundation, there are currently approximately 120,000 Zyxel devices exposed to the Internet, including 76,000 routers, so the attack surface is quite large. However, we do not know how many of them are vulnerable.
Hackers love to attack Zyxel products because their widely deployed routers, firewalls, and VPN devices often expose Internet-facing management interfaces and have historically suffered from critical and easily exploitable vulnerabilities.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
