Critical Zyxel Router Flaw Exposed Devices to Remote Attacks
Summary:
Zyxel has disclosed and patched a critical command injection vulnerability, CVE-2025-13942 (CVSS 9.8), affecting more than a dozen of its router and CPE models, including 4G LTE/5G NR CPEs, DSL/Ethernet CPEs, Fiber ONTs, and wireless extenders. The flaw resides in the UPnP feature of affected device firmware, allowing an unauthenticated remote attacker to execute arbitrary OS commands by sending specially crafted UPnP SOAP requests.
Several additional vulnerabilities were disclosed alongside it, including two null pointer dereference flaws (CVE-2025-11847, CVE-2025-11848) that enable authenticated denial-of-service attacks, and two post-authentication command injection bugs (CVE-2025-13943, CVE-2026-1459) in the log download and TR-369 certificate functions.
Security Officer Comments:
The most severe vulnerability, CVE-2025-13942, poses a significant risk to organizations and individuals using affected Zyxel devices where WAN access and the UPnP function have both been enabled. Successful unauthenticated exploitation could give a remote attacker full OS-level command execution on the device, potentially enabling network interception, traffic manipulation, lateral movement into connected internal networks, or use of the device as a persistent foothold for further attacks.
For IT sector environments, the risk is compounded by the fact that edge routers and CPE devices are critical chokepoints for network security. The post-authentication vulnerabilities, while requiring compromised credentials, still represent a meaningful escalation risk if administrator accounts are reused or weakly secured.
For a Managed Service Provider, the impact of this vulnerability is significantly amplified. MSPs typically deploy and manage Zyxel routers and CPE devices across dozens or hundreds of client environments simultaneously, meaning a single unpatched device model in their standard deployment stack could represent a wide and uniform attack surface across their entire customer base. If an adversary identifies that a particular MSP standardizes on affected Zyxel hardware, they could systematically target those devices across all managed clients, turning one vulnerability into a multi-tenant breach scenario.
The UPnP exploitation vector is particularly concerning in MSP contexts because UPnP is sometimes enabled deliberately to support client services like VoIP, remote access tools, or media devices. If WAN access was also enabled for remote management purposes, as is common practice for MSPs needing to administer client edge devices, both conditions required for remote exploitation would already be met across potentially many client sites simultaneously.
Suggested Corrections:
Zyxel has released or is releasing patched firmware for all affected models, with remaining fixes for certain DSL/Ethernet CPE models (DX5401-B1, EMG3525-T50B, EMG5523-T50B, VMG3625-T50B/C, and VMG8623-T50B) expected in March 2026.
Organizations should apply available firmware updates immediately and monitor Zyxel's security advisory page for patch availability on outstanding models.
As an interim measure, administrators should verify that WAN access and UPnP are disabled on affected devices unless explicitly required, as both must be enabled simultaneously for remote exploitation of the critical flaw to succeed.
Additionally, organizations should audit administrator credentials on Zyxel devices and enforce strong, unique passwords to reduce the risk of exploitation through the post-authentication vulnerabilities.
Link(s):
https://www.zyxel.com/global/en/sup...ity-routers-and-wireless-extenders-02-24-2026
Zyxel has disclosed and patched a critical command injection vulnerability, CVE-2025-13942 (CVSS 9.8), affecting more than a dozen of its router and CPE models, including 4G LTE/5G NR CPEs, DSL/Ethernet CPEs, Fiber ONTs, and wireless extenders. The flaw resides in the UPnP feature of affected device firmware, allowing an unauthenticated remote attacker to execute arbitrary OS commands by sending specially crafted UPnP SOAP requests.
Several additional vulnerabilities were disclosed alongside it, including two null pointer dereference flaws (CVE-2025-11847, CVE-2025-11848) that enable authenticated denial-of-service attacks, and two post-authentication command injection bugs (CVE-2025-13943, CVE-2026-1459) in the log download and TR-369 certificate functions.
Security Officer Comments:
The most severe vulnerability, CVE-2025-13942, poses a significant risk to organizations and individuals using affected Zyxel devices where WAN access and the UPnP function have both been enabled. Successful unauthenticated exploitation could give a remote attacker full OS-level command execution on the device, potentially enabling network interception, traffic manipulation, lateral movement into connected internal networks, or use of the device as a persistent foothold for further attacks.
For IT sector environments, the risk is compounded by the fact that edge routers and CPE devices are critical chokepoints for network security. The post-authentication vulnerabilities, while requiring compromised credentials, still represent a meaningful escalation risk if administrator accounts are reused or weakly secured.
For a Managed Service Provider, the impact of this vulnerability is significantly amplified. MSPs typically deploy and manage Zyxel routers and CPE devices across dozens or hundreds of client environments simultaneously, meaning a single unpatched device model in their standard deployment stack could represent a wide and uniform attack surface across their entire customer base. If an adversary identifies that a particular MSP standardizes on affected Zyxel hardware, they could systematically target those devices across all managed clients, turning one vulnerability into a multi-tenant breach scenario.
The UPnP exploitation vector is particularly concerning in MSP contexts because UPnP is sometimes enabled deliberately to support client services like VoIP, remote access tools, or media devices. If WAN access was also enabled for remote management purposes, as is common practice for MSPs needing to administer client edge devices, both conditions required for remote exploitation would already be met across potentially many client sites simultaneously.
Suggested Corrections:
Zyxel has released or is releasing patched firmware for all affected models, with remaining fixes for certain DSL/Ethernet CPE models (DX5401-B1, EMG3525-T50B, EMG5523-T50B, VMG3625-T50B/C, and VMG8623-T50B) expected in March 2026.
Organizations should apply available firmware updates immediately and monitor Zyxel's security advisory page for patch availability on outstanding models.
As an interim measure, administrators should verify that WAN access and UPnP are disabled on affected devices unless explicitly required, as both must be enabled simultaneously for remote exploitation of the critical flaw to succeed.
Additionally, organizations should audit administrator credentials on Zyxel devices and enforce strong, unique passwords to reduce the risk of exploitation through the post-authentication vulnerabilities.
Link(s):
https://www.zyxel.com/global/en/sup...ity-routers-and-wireless-extenders-02-24-2026