Networking provider Zyxel this week released patches for multiple vulnerabilities across dozens of device models, including a critical flaw leading to remote code execution.
The critical-severity bug, tracked as CVE-2025-13942 (CVSS score of 9.8), is described as a command injection issue affecting the UPnP feature of 18 routers, ONTs, and wireless extenders.
An attacker could exploit the flaw via crafted UPnP SOAP requests to execute OS commands on a vulnerable device, Zyxel explains in its advisory.
“It is important to note that WAN access is disabled by default on these devices, and the attack can be carried out remotely only if both WAN access and the vulnerable UPnP function have been enabled,” the company notes.
The networking provider’s fresh round of security updates also resolves CVE-2025-13943 and CVE-2026-1459, two high-severity command injection defects.
Impacting the log file download function and the TR-369 certificate download CGI program of specific router firmware versions, the two vulnerabilities could allow an authenticated attacker to execute OS commands.
Additionally, Zyxel released fixes for four null pointer dereference vulnerabilities that could be exploited by attackers with administrator privileges to cause denial-of-service (DoS) conditions.
Affecting various endpoints of the vulnerable products, these flaws can be exploited via crafted HTTP requests if WAN access is enabled and the attacker possesses compromised user credentials.
Zyxel has published a list of impacted devices, saying that firmware updates are available for all of them. The company makes no mention of any of these vulnerabilities being exploited in the wild, but threat actors are known to have targeted Zyxel bugs in attacks.
Related: Cisco Patches Catalyst SD-WAN Zero-Day Exploited by Highly Sophisticated Hackers
Related: Zyxel Firewall Vulnerability Again in Attacker Crosshairs
Related: Zyxel Issues ‘No Patch’ Warning for Exploited Zero-Days
Related: Nvidia, Zoom, Zyxel Patch High-Severity Vulnerabilities
