Zyxel warns over a dozen routers could be affected by critical RCE security flaw

• Zyxel patched seven flaws across multiple devices, including critical CVE-2025-13942 (9.8/10)
• Command injection via UPnP could allow remote OS command execution if WAN access and UPnP are enabled
• Around 120,000 Zyxel devices are internet-exposed

Zyxel has confirmed it recently patched half a dozen vulnerabilities, including a critical-severity issue which allowed threat actors to execute arbitrary commands remotely.

In a security advisory, Zyxel detailed patching a command injection vulnerability in the UPnP function of certain 4G LTE/5G NR CPE, DSL/Ethernet CPE, Fiber ONTs, and Wireless Extenders firmware versions. This vulnerability is tracked as CVE-2025-13942, and was given a severity score of 9.8/10 (critical).

By sending specially crafted UPnP SOAP requests, unauthenticated attackers can execute OS commands on a vulnerable endpoint, Zyxel said, but stressed that certain conditions must be met, first.