Critical Zyxel Vulnerabilities Exposes Routers to Remote Command Injection

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Zyxel Vulnerabilities

Critical firmware updates have been released to address multiple serious vulnerabilities in networking devices, including 4G LTE/5G NR CPEs, DSL/Ethernet CPEs, Fiber ONTs, Security Routers, and Wireless Extenders.

These flaws expose affected routers to remote command injection and denial-of-service (DoS) attacks.

The security advisory highlights seven distinct vulnerabilities discovered by security researchers Tiantai Zhang, Víctor Fresco, and Watchful IP.

The most critical is an unauthenticated command injection flaw, alongside several post-authentication risks and null pointer dereferences.

Attack Mechanics and Risk Analysis

The most severe threat stems from CVE-2025-13942 (CVSS 9.8), which allows remote code execution (RCE) without requiring user authentication.

If a malicious actor sends a specially crafted UPnP request, they can completely compromise the device’s operating system.

Fortunately, a built-in mitigating factor exists: WAN access is restricted by default on all affected Zyxel devices.

CVE ID Vulnerability Type Impact & Attack Vector
CVE-2025-13942 Command Injection (UPnP) Remote attackers can execute arbitrary OS commands via crafted UPnP SOAP requests.
CVE-2025-13943 Post-Auth Command Injection Authenticated users can run OS commands through the log file download feature.
CVE-2026-1459 Post-Auth Command Injection Authenticated admins can execute OS commands via TR-369 certificate download CGI.
CVE-2025-11845 Null Pointer Dereference Crafted HTTP requests to certificate downloader CGI trigger device DoS.
CVE-2025-11846 Null Pointer Dereference Malformed HTTP requests to account settings CGI cause DoS.
CVE-2025-11847 Null Pointer Dereference Malformed HTTP requests to IP settings CGI cause DoS.
CVE-2025-11848 Null Pointer Dereference Crafted requests to Wake-on-LAN CGI can crash the device (DoS).

An attack can only succeed if a user has manually enabled both WAN access and the vulnerable UPnP function.

Similarly, the DoS vulnerabilities and post-authentication command injection require compromised administrator passwords to be exploited.

Dozens of specific models are impacted, including popular enterprise and consumer lines. Below is a snapshot of devices vulnerable to the critical CVE-2025-13942 flaw:

Product Category Affected Model Affected Version Patch Version
4G LTE/5G NR CPE Nebula NR7101 1.16(ACCC.1)C0 & earlier 1.16(ACCC.1)V0
DSL/Ethernet CPE DX4510-B0 5.17(ABYL.10)C0 & earlier 5.17(ABYL.10.1)C0
Fiber ONTs PX5301-T0 5.44(ACKB.0.5)C0 & earlier 5.44(ACKB.0.6)C0
Wireless Extenders WX5610-B0 5.18(ACGJ.0.4)C0 & earlier 5.18(ACGJ.0.5)C0

Zyxel has released firmware updates for the vast majority of affected products.

However, specific DSL/Ethernet CPE models affected by CVE-2026-1459 (such as the DX5401-B1 and EMG3525-T50B) are scheduled to receive official patches in March 2026.​

To maintain optimal network protection, administrators must take immediate action:

Mitigation Step Description
Apply Firmware Updates Download and install the latest firmware from the official support portal or community forum.
Restrict WAN Access Disable WAN access and UPnP on external interfaces unless absolutely necessary.
Update Credentials Change default or weak passwords to prevent post-authentication exploitation.
Contact ISPs For ISP-provided devices, contact your provider for custom firmware updates.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.