Zyxel Routers Hit by Critical Command Injection Flaw: What You Need to Know
Taiwanese networking giant Zyxel is urging users to apply security updates to address a critical vulnerability (CVE-2025-13942) impacting a wide range of its router models. The flaw, a command injection vulnerability within the UPnP function, could allow unauthenticated attackers to remotely execute operating system commands on vulnerable devices.
Understanding the Vulnerability
The vulnerability specifically affects Zyxel’s 4G LTE/5G NR CPE, DSL/Ethernet CPE, Fiber ONTs, and wireless extenders. Attackers can exploit this flaw by sending specially crafted UPnP SOAP requests. Zyxel states that successful exploitation requires both WAN access and the vulnerable UPnP function to be enabled.
Severity and Real-World Impact
The vulnerability has been assigned a critical severity score of 9.8 on the CVSS 3.x scale, indicating a high level of risk. While the severity is high, Zyxel notes that WAN access is disabled by default on most devices, limiting the potential attack surface. However, the sheer number of internet-exposed Zyxel devices – nearly 120,000 according to Shadowserver data, including over 76,000 routers – highlights the potential for widespread impact.
Beyond CVE-2025-13942: Additional Patches
Zyxel similarly released patches for two additional high-severity post-authentication command-injection vulnerabilities: CVE-2025-13943 and CVE-2026-1459. These vulnerabilities require compromised credentials for exploitation, but still pose a significant risk.
The Broader Context: Zyxel Security Concerns
Zyxel devices are frequently targeted by attackers, in part because they are often the default equipment provided by internet service providers. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) currently tracks 12 Zyxel vulnerabilities impacting routers, firewalls, and NAS devices that are actively exploited. Recently, Zyxel announced it will not patch zero-day vulnerabilities (CVE-2024-40891 and CVE-2024-40891) in end-of-life routers, advising customers to replace them.
Zyxel serves over 1 million businesses across 150 markets, making the security of its products a critical concern for a vast number of organizations, and individuals.
Future Trends: The Growing Threat to IoT Devices
The Zyxel vulnerabilities underscore a growing trend: the increasing security risks associated with Internet of Things (IoT) devices. As more devices become connected to the internet, the attack surface expands, creating more opportunities for malicious actors. Several factors contribute to this trend:
- Long Device Lifecycles: Many IoT devices, like routers, have long lifecycles, meaning they remain in use for years after the manufacturer stops providing security updates.
- Default Credentials: Many devices ship with default credentials that users fail to change, making them easy targets for attackers.
- Supply Chain Vulnerabilities: Security flaws can be introduced during the manufacturing process, making devices vulnerable from the start.
- Lack of Security Awareness: Many users are unaware of the security risks associated with IoT devices and fail to take basic precautions.
We can expect to see a continued increase in attacks targeting IoT devices in the coming years. This will likely lead to greater regulatory scrutiny of IoT security and a growing demand for more secure devices.
Staying Protected: Best Practices
To protect yourself from vulnerabilities like CVE-2025-13942, consider these best practices:
- Apply Security Updates: Install security updates as soon as they become available.
- Change Default Credentials: Change the default username and password on all your devices.
- Disable Unnecessary Features: Disable features you don’t need, such as UPnP and WAN access.
- Use a Strong Firewall: Use a firewall to protect your network from unauthorized access.
- Monitor Your Network: Monitor your network for suspicious activity.
FAQ
- What is UPnP?
- Universal Plug and Play (UPnP) is a set of networking protocols that allows devices to automatically discover and communicate with each other. It can be convenient, but also introduces security risks.
- What is a command injection vulnerability?
- A command injection vulnerability allows an attacker to execute arbitrary commands on a vulnerable system.
- Is my Zyxel device affected?
- Check Zyxel’s security advisory (https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-null-pointer-dereference-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-02-24-2026) to see if your model is affected.
Resources:
