Zyxel has released security updates for CVE-2025-13942, a critical command injection vulnerability in UPnP functionality affecting 4G/5G LTE routers, DSL/Ethernet CPE devices, and wireless extenders that could allow unauthenticated remote code execution.
Zyxel has released critical security updates to address a severe vulnerability affecting over a dozen router models that could allow unauthenticated attackers to execute remote commands on unpatched devices. The flaw, tracked as CVE-2025-13942, was discovered in the UPnP (Universal Plug and Play) function of various Zyxel networking devices including 4G LTE/5G NR CPE, DSL/Ethernet CPE, Fiber ONTs, and wireless extenders.
Understanding the Vulnerability
The command injection security flaw allows unauthenticated remote attackers to execute operating system commands on affected devices using maliciously crafted UPnP SOAP requests. This type of vulnerability is particularly dangerous because it enables attackers to gain control over the device without needing valid credentials or authentication.
However, Zyxel notes that the practical impact may be more limited than the severity rating suggests. Successful exploitation requires both UPnP and WAN access to be enabled, with the latter being disabled by default on these devices. According to Zyxel's advisory, "WAN access is disabled by default on these devices, and the attack can be carried out remotely only if both WAN access and the vulnerable UPnP function have been enabled."
Affected Devices and Scale
Shadowserver, an internet security watchdog, currently tracks nearly 120,000 internet-exposed Zyxel devices, including over 76,000 routers. This represents a significant attack surface, as these devices are often provided by internet service providers worldwide as default equipment when customers activate new internet service contracts.
Zyxel claims that more than 1 million businesses use its networking products across 150 markets, making this vulnerability particularly concerning for enterprise environments and service providers.
Additional Vulnerabilities Patched
In addition to CVE-2025-13942, Zyxel also addressed two high-severity post-authentication command-injection vulnerabilities on the same day:
- CVE-2025-13943: A post-authentication command injection flaw
- CVE-2026-1459: Another post-authentication command injection vulnerability
These vulnerabilities require compromised credentials to exploit but still allow threat actors to execute operating system commands on affected devices.
Government and Industry Response
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is currently tracking 12 Zyxel vulnerabilities impacting the company's routers, firewalls, and NAS devices that have been or are still actively exploited in the wild. This highlights the ongoing security challenges with networking equipment and the importance of timely patching.
End-of-Life Device Concerns
Earlier this month, Zyxel warned about a pair of zero-day security vulnerabilities (CVE-2024-40891 and CVE-2024-40891) that are actively exploited in attacks and affect end-of-life routers still available for sale online. Rather than patching these legacy devices, Zyxel "strongly" advised customers to replace their routers with newer products whose firmware has already been patched.
The affected legacy products include:
- VMG1312-B10A, VMG1312-B10B, VMG1312-B10E
- VMG3312-B10A, VMG3313-B10A, VMG3926-B10B
- VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A
- SBG3300, SBG3500
Zyxel stated that these are "legacy products that have reached end-of-life (EOL) for years" and recommended replacement with newer-generation products for optimal protection.
Mitigation and Recommendations
For organizations and individuals using affected Zyxel devices, the following steps are recommended:
- Apply security updates immediately: Install the patches released by Zyxel to address CVE-2025-13942 and related vulnerabilities
- Check default settings: Verify that WAN access is disabled if not explicitly needed
- Review UPnP configuration: Consider disabling UPnP functionality if not required for your network operations
- Inventory affected devices: Identify all Zyxel devices in your network and check their vulnerability status
- Plan for end-of-life equipment: For legacy devices, begin planning replacement with newer, supported models
Broader Context
This vulnerability underscores the ongoing security challenges with networking equipment, particularly devices provided by ISPs as default hardware. The combination of widespread deployment, often default configurations, and the critical nature of network infrastructure makes these devices attractive targets for attackers.
Organizations should maintain regular patching schedules for all network infrastructure and consider implementing network segmentation to limit the potential impact of compromised devices. Additionally, when selecting networking equipment, consider the vendor's track record for security updates and support lifecycle.
The Zyxel case also highlights the importance of proper end-of-life management for networking equipment. Devices that are no longer supported should be replaced promptly, even if they appear to be functioning correctly, as unpatched vulnerabilities can provide attackers with persistent access to network infrastructure.
Comments
Please log in or register to join the discussion