Critical firmware updates have been released to address multiple serious vulnerabilities in networking devices, including 4G LTE/5G NR CPEs, DSL/Ethernet CPEs, Fiber ONTs, Security Routers, and Wireless Extenders.
These flaws expose affected routers to remote command injection and denial-of-service (DoS) attacks.
The security advisory highlights seven distinct vulnerabilities discovered by security researchers Tiantai Zhang, Víctor Fresco, and Watchful IP.
The most critical is an unauthenticated command injection flaw, alongside several post-authentication risks and null pointer dereferences.
Attack Mechanics and Risk Analysis
The most severe threat stems from CVE-2025-13942 (CVSS 9.8), which allows remote code execution (RCE) without requiring user authentication.
If a malicious actor sends a specially crafted UPnP request, they can completely compromise the device’s operating system.
Fortunately, a built-in mitigating factor exists: WAN access is restricted by default on all affected Zyxel devices.
| CVE ID | Vulnerability Type | Impact & Attack Vector |
|---|---|---|
| CVE-2025-13942 | Command Injection (UPnP) | Remote attackers can execute arbitrary OS commands via crafted UPnP SOAP requests. |
| CVE-2025-13943 | Post-Auth Command Injection | Authenticated users can run OS commands through the log file download feature. |
| CVE-2026-1459 | Post-Auth Command Injection | Authenticated admins can execute OS commands via TR-369 certificate download CGI. |
| CVE-2025-11845 | Null Pointer Dereference | Crafted HTTP requests to certificate downloader CGI trigger device DoS. |
| CVE-2025-11846 | Null Pointer Dereference | Malformed HTTP requests to account settings CGI cause DoS. |
| CVE-2025-11847 | Null Pointer Dereference | Malformed HTTP requests to IP settings CGI cause DoS. |
| CVE-2025-11848 | Null Pointer Dereference | Crafted requests to Wake-on-LAN CGI can crash the device (DoS). |
An attack can only succeed if a user has manually enabled both WAN access and the vulnerable UPnP function.
Similarly, the DoS vulnerabilities and post-authentication command injection require compromised administrator passwords to be exploited.
Dozens of specific models are impacted, including popular enterprise and consumer lines. Below is a snapshot of devices vulnerable to the critical CVE-2025-13942 flaw:
| Product Category | Affected Model | Affected Version | Patch Version |
|---|---|---|---|
| 4G LTE/5G NR CPE | Nebula NR7101 | 1.16(ACCC.1)C0 & earlier | 1.16(ACCC.1)V0 |
| DSL/Ethernet CPE | DX4510-B0 | 5.17(ABYL.10)C0 & earlier | 5.17(ABYL.10.1)C0 |
| Fiber ONTs | PX5301-T0 | 5.44(ACKB.0.5)C0 & earlier | 5.44(ACKB.0.6)C0 |
| Wireless Extenders | WX5610-B0 | 5.18(ACGJ.0.4)C0 & earlier | 5.18(ACGJ.0.5)C0 |
Zyxel has released firmware updates for the vast majority of affected products.
However, specific DSL/Ethernet CPE models affected by CVE-2026-1459 (such as the DX5401-B1 and EMG3525-T50B) are scheduled to receive official patches in March 2026.
To maintain optimal network protection, administrators must take immediate action:
| Mitigation Step | Description |
|---|---|
| Apply Firmware Updates | Download and install the latest firmware from the official support portal or community forum. |
| Restrict WAN Access | Disable WAN access and UPnP on external interfaces unless absolutely necessary. |
| Update Credentials | Change default or weak passwords to prevent post-authentication exploitation. |
| Contact ISPs | For ISP-provided devices, contact your provider for custom firmware updates. |
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
