Zyxel has released urgent firmware updates to fix a critical remote command execution vulnerability in multiple product lines, including routers, fiber ONTs, and wireless repeaters. The flaw allows remote attackers to run arbitrary system commands without any authentication, creating a high‑impact risk for both home users and small businesses relying on these devices as their main internet gateway.
What Is CVE-2025-13942 and Why the Zyxel UPnP Vulnerability Is Critical
The vulnerability CVE-2025-13942 is a classic command injection issue in Zyxel’s implementation of UPnP (Universal Plug and Play) on several device families, including 4G LTE/5G NR CPE, DSL/Ethernet CPE, Fiber ONT, and wireless repeaters. UPnP is designed to simplify automatic port forwarding and device discovery on a local network, but improper input handling turns it into an attack vector.
Due to incorrect processing of UPnP parameters, an attacker can craft input that the device’s operating system interprets as shell commands. This allows execution of arbitrary code with system privileges, opening the door to actions such as deploying malware, adding hidden user accounts, modifying firewall rules, or reconfiguring network traffic flows.
How Attackers Exploit CVE-2025-13942 via UPnP and SOAP Requests
To exploit the flaw, an attacker does not need a username or password. The attack relies on sending a specially constructed UPnP SOAP request (the XML‑based messaging format used by UPnP). Because the device fails to properly validate and sanitize parts of this request, the payload is injected into a command context and executed at the operating system level.
One key prerequisite is the simultaneous enabling of UPnP and WAN access (remote access from the internet side). While WAN management interfaces are often disabled by default, many users or administrators enable them for remote administration, P2P applications, gaming consoles, and services that require port forwarding. In such configurations, the vulnerable UPnP service becomes remotely reachable and exploitable from the public internet.
Scale of Exposure: Tens of Thousands of Zyxel Routers Online
According to data from the Shadowserver Foundation, approximately 120,000 Zyxel devices are currently visible on the internet, including more than 76,000 routers. Not all exposed devices are necessarily affected by CVE-2025-13942, but this level of internet‑facing infrastructure represents a substantial attack surface for botnet operators and ransomware groups.
Once compromised, a router or ONT can be integrated into large‑scale botnets, used for DDoS attacks, traffic proxying to hide malicious activity, crypto‑mining, or as a launchpad for lateral movement into internal corporate or home networks. Previous global campaigns, such as those based on Mirai‑like malware, have shown how quickly vulnerable consumer and SOHO routers can be weaponized at scale.
Additional Zyxel Vulnerabilities Requiring Authentication
Zyxel has also patched two further command injection vulnerabilities, CVE-2025-13943 and CVE-2026-1459. Unlike CVE-2025-13942, these flaws require valid login credentials for the device’s web management interface, but they can still be highly damaging in real‑world attacks.
Attackers frequently obtain router credentials via phishing, weak or default passwords, and credential stuffing based on data from unrelated breaches. Once authenticated, they can tamper with parameters in HTTP requests to trigger command injection, achieving full remote code execution on the router. In practice, this turns a single compromised account into complete control over the device and, potentially, over the entire connected network segment.
Unpatched Zero‑Day Flaws on End‑of‑Life Zyxel Routers
Particular attention has been drawn to two zero‑day vulnerabilities, CVE-2024-40890 and CVE-2024-40891, which are already being exploited in the wild. These issues affect end‑of‑life (EoL) Zyxel routers that no longer receive security updates.
Zyxel has explicitly stated that no patches will be released for these discontinued models, even though some of them can still be found for sale through online retailers. From a security standpoint, this underscores an important trend: home and SOHO network devices now have a limited safe lifespan. Once support ends, the risk of unpatched, actively exploited vulnerabilities increases sharply, and affected hardware should be treated as inherently untrusted.
Security Best Practices for Zyxel Router Owners
1. Immediately install the latest Zyxel firmware update. Check your device model on the official Zyxel support site or via the router’s admin panel and apply the most recent firmware that addresses CVE-2025-13942 and related issues. Enable automatic updates where supported to reduce patching delays.
2. Disable UPnP wherever it is not strictly required. While UPnP makes port management easier, it significantly enlarges the attack surface. If your applications can function without it, turn UPnP off entirely in the router settings.
3. Restrict or disable WAN access and remote management. Avoid exposing the router’s management interface directly to the internet. If remote access is essential, limit it by IP allowlists, use a VPN, and enforce strong authentication policies.
4. Harden authentication with strong, unique passwords and 2FA. Replace default credentials, use long unique passwords stored in a password manager, and enable two‑factor authentication where available. This mitigates the impact of vulnerabilities that depend on account compromise, such as CVE-2025-13943 and CVE-2026-1459.
5. Regularly audit and replace legacy network equipment. Maintain an inventory of routers and access points, verify their support status, and check for known critical vulnerabilities. For unsupported or EoL Zyxel models affected by zero‑day flaws, replacement with a current, supported device is usually safer and more cost‑effective than continued use behind ad‑hoc mitigations.
Routers and ONTs have become the primary gateway to both home and office digital infrastructure, making them a high‑value target for attackers. The Zyxel vulnerabilities around UPnP and zero‑day flaws on legacy devices highlight that security can no longer be limited to endpoint antivirus alone. Timely firmware updates, disabling unnecessary services such as UPnP and direct WAN management, and proactively retiring unsupported hardware are now essential defensive measures. Users and administrators who treat their network equipment as critical security assets today will substantially reduce the opportunities available to attackers tomorrow.
