Zyxel, the Taiwanese networking hardware company, recently addressed six vulnerabilities, including a critical-severity flaw that gave threat actors the ability to remotely carry out arbitrary orders.
The company described how to fix a command injection vulnerability in the UPnP function of specific firmware versions of 4G LTE/5G NR CPE, DSL/Ethernet CPE, Fibre ONTs, and Wireless Extenders in a security advisory. This issue has a severity score of 9.8/10 (critical) and is tracked as CVE-2025-13942.
According to Zyxel, unauthenticated attackers can execute OS instructions on a susceptible endpoint by sending specially constructed UPnP SOAP requests, but they must first fulfil specific requirements.
The Taiwanese firm stated, “It is crucial to remember that WAN access is turned off by default on these devices, and the attack can only be executed remotely if both WAN access and the susceptible UPnP function have been enabled.”
Several items, each with a different firmware version, are impacted. Zyxel addressed seven vulnerabilities in total, including four null-pointer dereference vulnerabilities and two post-authentication command injection vulnerabilities.
So far, there is no evidence that any of these flaws are being abused in the wild. Zyxel did not mention whether it observed any attacks, and US CISA (Cybersecurity and Infrastructure Security Agency) has not yet added any of these to its catalogue of exploited vulnerabilities (KEV).
However, according to reports, CISA is currently tracking 12 Zyxel vulnerabilities impacting the company’s routers, firewalls, and NAS devices, which have been or are still actively exploited in the wild.
The attack surface is very wide, since the nonprofit security group Shadowserver Foundation estimates that there are currently about 120,000 Zyxel devices exposed to the Internet, including 76,000 routers. However, the number of these devices that are at risk is currently unknown.
Because Zyxel’s widely used routers, firewalls, and VPN devices frequently reveal Internet-facing administrative interfaces and have historically had serious, easily exploitable flaws, hackers have always targeted these products.