Zyxel patches critical command injection vulnerability in routers

Taiwanese networking provider Zyxel has released security updates to address a critical vulnerability affecting over a dozen router models that could allow unauthenticated attackers to gain remote command execution on unpatched devices, according to a recent report by Bleeping Computer.

The vulnerability, tracked as CVE-2025-13942, is a command injection flaw within the UPnP function of various Zyxel CPE and extender models. Attackers could exploit this by sending specially crafted UPnP SOAP requests to execute operating system commands remotely. However, exploitation requires both UPnP and WAN access to be enabled, with WAN access disabled by default. Zyxel also patched two high-severity post-authentication command injection vulnerabilities (CVE-2025-13943 and CVE-2026-1459) on the same day. Internet-exposed Zyxel devices, numbering nearly 120,000, are frequently targeted due to their widespread use by internet service providers.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is tracking 12 actively exploited Zyxel vulnerabilities. This incident highlights the ongoing risks associated with network equipment, especially for devices that reach end-of-life and are no longer patched, as Zyxel recently announced it would not update certain legacy models. Users are strongly advised to install available patches and consider replacing older devices to maintain optimal security.

Source: Bleeping Computer