Zyxel warns over a dozen routers could be affected by critical RCE security flaw

1 hour ago 5

A person plugging an Ethernet cable into a router

Zyxel patched seven flaws across multiple devices, including critical CVE-2025-13942 (9.8/10)
Command injection via UPnP could allow remote OS command execution if WAN access and UPnP are enabled
Around 120,000 Zyxel devices are internet-exposed

Zyxel has confirmed it recently patched half a dozen vulnerabilities, including a critical-severity issue which allowed threat actors to execute arbitrary commands remotely.

In a security advisory, Zyxel detailed patching a command injection vulnerability in the UPnP function of certain 4G LTE/5G NR CPE, DSL/Ethernet CPE, Fiber ONTs, and Wireless Extenders firmware versions. This vulnerability is tracked as CVE-2025-13942, and was given a severity score of 9.8/10 (critical).

By sending specially crafted UPnP SOAP requests, unauthenticated attackers can execute OS commands on a vulnerable endpoint, Zyxel said, but stressed that certain conditions must be met, first.

Patching the flaws

“It is important to note that WAN access is disabled by default on these devices, and the attack can be carried out remotely only if both WAN access and the vulnerable UPnP function have been enabled,” it explained.

Multiple products are affected, each with their own firmware versions. To find out which version your device should be updated to, make sure to read the full list here. In total, Zyxel fixed seven flaws, including two post-authentication command injection vulnerabilities, and four null-pointer dereference vulnerabilities.

So far, there is no evidence that any of these flaws are being abused in the wild. Zyxel did not mention if it observed any attacks, and US CISA has not yet added any of these to its catalog of exploited vulnerabilities (KEV).

According to the nonprofit security organization Shadowserver Foundation, there are currently approximately 120,000 internet-exposed Zyxel devices, including 76,000 routers, so the attack surface is rather large. We don’t know how many of these are vulnerable, though.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Hackers love attacking Zyxel products because their widely deployed routers, firewalls, and VPN devices often expose internet-facing management interfaces and have historically suffered from critical, easily exploitable vulnerabilities.

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read Entire Article