Overview
- Zyxel released fixes for CVE-2025-13942, a CVSS 9.8 command-injection bug in the UPnP feature of 4G/5G CPEs, DSL/Ethernet CPEs, fiber ONTs, and wireless extenders that allows unauthenticated OS command execution via crafted SOAP requests.
- Remote exploitation requires both WAN access and UPnP to be enabled, with WAN access off by default on affected devices, and customers are urged to update firmware without delay.
- The company also addressed two high-severity post-authentication command-injection issues—CVE-2025-13943 and CVE-2026-1459—in the log download and TR-369 certificate functions that permit OS command execution using compromised admin credentials.
- Zyxel says additional firmware covering impacted models for CVE-2026-1459 is planned for March 2026, alongside previously released updates for other affected products.
- Shadowserver reports nearly 120,000 internet-exposed Zyxel devices, CISA is tracking a dozen Zyxel vulnerabilities, and Zyxel continues to advise replacing certain end-of-life routers it will not patch.