Zyxel has launched critical security patches for more than twelve router models to fix a vulnerability that could let unauthorized users execute remote commands. This flaw is found within the UPnP functionality across various hardware lines, including 5G NR, 4G LTE, and fiber devices.
Taiwanese networking company Zyxel recently addressed a significant security flaw categorized as CVE-2025-13942, which impacts a wide range of its consumer and enterprise hardware. This specific command injection vulnerability is located in the Universal Plug and Play function of several different device categories, such as wireless extenders and DSL or Ethernet routers. Because the flaw allows for remote command execution, it represents a high risk for users who have not yet updated their firmware to the latest available versions.
According to the manufacturer, an attacker does not need to be authenticated to exploit this weakness. By sending a specially crafted SOAP request through the UPnP protocol, a malicious actor could theoretically run operating system commands directly on the hardware. This level of access would allow an intruder to potentially intercept traffic, modify settings, or use the device as a jumping off point for further attacks within a local network.
Despite the critical nature of the bug, the actual risk to the general public may be mitigated by default configuration settings. Zyxel noted that for an attack to be successful from the internet, a user would need to have both the UPnP service and wide area network access manually enabled. Since WAN access is typically turned off by default on these specific models, the number of devices immediately vulnerable to outside interference is lower than the total number of units in the field.
In addition to the primary vulnerability, the company released fixes for two other high-severity issues identified as CVE-2025-13943 and CVE-2026-1459. These separate flaws also involve command injection but require an attacker to already possess valid login credentials to the device. While these post-authentication bugs are less of an immediate threat to the average user, they still pose a risk if an attacker manages to obtain passwords through phishing or other deceptive methods.
Security monitoring groups like Shadowserver indicate that there are still tens of thousands of Zyxel devices currently exposed to the open internet. Given the potential for exploitation, the manufacturer is urging all customers to verify their settings and install the necessary updates immediately. Users are also encouraged to keep WAN management features disabled unless they are strictly necessary for specific remote administrative tasks.
Source: Zyxel Warns of Critical Remote Code Execution Flaw Affecting Dozen Routers