Critical Zyxel router flaw exposed devices to remote attacks

Critical Zyxel router flaw exposed devices to remote attacks

Pierluigi Paganini
February 25, 2026

Zyxel fixed a critical flaw in multiple routers that lets unauthenticated attackers remotely execute commands on vulnerable devices.

Zyxel addressed a critical remote code execution vulnerability, tracked as CVE-2025-13942 (CVSS score of 9.8), affecting more than a dozen router models.

A command injection flaw in the UPnP feature of several Zyxel CPEs, Fiber ONTs, and wireless extenders lets attackers run OS commands via crafted UPnP requests. Remote exploitation requires both WAN access and the vulnerable UPnP function to be enabled, as WAN access is disabled by default.

“A command injection vulnerability in the UPnP function of certain 4G LTE/5G NR CPE, DSL/Ethernet CPE, Fiber ONTs, and Wireless Extenders firmware versions could allow a remote attacker to execute operating system (OS) commands on an affected device by sending specially crafted UPnP SOAP requests.” reads the advisory published by the vendor. “It is important to note that WAN access is disabled by default on these devices, and the attack can be carried out remotely only if both WAN access and the vulnerable UPnP function have been enabled.”

CVE-2026-1459 affects several Zyxel DSL/Ethernet CPE router models, including DX5401-B1, EMG3525-T50B, EMG5523-T50B, VMG3625-T50B/C, and VMG8623-T50B running specified firmware versions and earlier. Zyxel plans to release patched firmware versions for all impacted models in March 2026.

The Taiwanese manufacturer also addressed other vulnerabilities affecting multiple Zyxel CPEs, Fiber ONTs, security routers, and wireless extenders. CVE-2025-11847 and CVE-2025-11848 are null pointer dereference flaws in IP settings and Wake-on-LAN CGI components that allow authenticated administrators to trigger a denial-of-service via crafted HTTP requests. CVE-2025-13943 and CVE-2026-1459 are post-authentication command injection bugs in log download and TR-369 certificate functions, enabling OS command execution. In all cases, WAN access remains disabled by default, and successful exploitation requires compromised administrator credentials.

The researcher Tiantai Zhang from Purdue University disclosed the vulnerabilities CVE-2025-11845, CVE-2025-11846, CVE-2025-11847, and CVE-2025-11848.

Víctor Fresco (@hacefresko) reported the flaws CVE-2025-13942 and CVE-2025-13943, while Watchful IP disclosed the flaw CVE-2026-1459.

Users are urged to update affected routers immediately to prevent exploitation.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Zyxel)