Zyxel has rolled out critical security patches for multiple vulnerabilities affecting its 4G LTE/5G NR CPE, DSL/Ethernet CPE, Fiber ONTs, Security Routers, and Wireless Extenders.
The flaws range from null pointer dereferences causing Denial-of-Service (DoS) to severe command injections allowing remote attackers to execute system commands.
| CVE ID | Severity | Vulnerability Type | Attack Vector | Impact |
|---|---|---|---|---|
| CVE-2025-13942 | Critical (CVSS 9.8) | Command Injection | Remote (UPnP) | OS Command Execution |
| CVE-2025-13943 | High | Command Injection | Authenticated User | OS Command Execution |
| CVE-2026-1459 | High (CVSS 7.2) | Command Injection | Authenticated Admin | OS Command Execution |
| CVE-2025-11845 to 11848 | Medium (CVSS 4.9) | Null Pointer Dereference | Authenticated Admin | Denial-of-Service (DoS) |
While most of these flaws require an attacker to have already compromised administrator credentials, CVE-2025-13942 poses the greatest threat with a CVSS score of 9.8.
This critical command injection flaw resides in the UPnP function of certain devices.
If a user has manually enabled both WAN access and the vulnerable UPnP function, an unauthenticated remote attacker could send malicious SOAP requests to run arbitrary operating system commands.
Denial-of-Service Attack Vectors
Zyxel addressed four null pointer dereference vulnerabilities (CVE-2025-11845 through CVE-2025-11848) across multiple CGI programs, each carrying a CVSS score of 4.9.
An authenticated attacker with admin privileges can send specially crafted HTTP requests to trigger a DoS condition.
Fortunately, WAN access is disabled by default, meaning these attacks only succeed if user-configured passwords are compromised.
Zyxel has released firmware updates for the majority of affected models, though patches for CVE-2026-1459 will only be available in March 2026.
Users are strongly advised to download the latest firmware from official support channels and ensure WAN access remains disabled to prevent remote attacks.
End-users who received devices directly from their ISPs should contact their provider’s support team for customized updates.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
