Critical RCE flaw in Zyxel routers puts users at risk
▼ Summary
– Zyxel has patched a critical vulnerability (CVE-2025-13942) allowing unauthenticated remote command execution on many router models via UPnP.
– Successful exploitation of this flaw requires both UPnP and WAN access to be enabled, with WAN access disabled by default, limiting potential attacks.
– The company also fixed two high-severity, post-authentication command injection vulnerabilities (CVE-2025-13943 and CVE-2026-1459).
– Zyxel devices are widely targeted, with nearly 120,000 exposed online and CISA tracking 12 actively exploited vulnerabilities in its products.
– Zyxel will not patch two actively exploited zero-days in end-of-life routers, instead strongly recommending customers replace those devices.
A critical security vulnerability has been identified in a range of Zyxel networking devices, including routers and wireless extenders, which could allow attackers to remotely execute commands on affected systems. The flaw, designated CVE-2025-13942, is a command injection issue within the UPnP function. While the vulnerability carries a high severity rating, its practical exploitation is somewhat constrained. Successful attacks require both the UPnP service and WAN access to be enabled on the target device, with WAN access being disabled by default configuration. Zyxel has released firmware updates to address this and other related security issues, strongly urging users to apply the patches promptly to secure their networks.
The company also resolved two additional high-severity flaws, CVE-2025-13943 and CVE-2026-1459. These are post-authentication command injection vulnerabilities, meaning an attacker would first need to obtain valid login credentials to exploit them. This latest round of patches underscores the ongoing security challenges facing widely deployed networking hardware.
Networking equipment from manufacturers like Zyxel is a frequent target for malicious actors. These devices are commonly supplied by internet service providers to customers, making them ubiquitous. According to data from the Shadowserver Foundation, nearly 120,000 Zyxel devices are currently exposed to the internet, with over 76,000 of those being routers. This large attack surface attracts consistent attention from threat groups.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is actively monitoring a dozen different Zyxel vulnerabilities that impact routers, firewalls, and network-attached storage devices. Many of these flaws have a history of being exploited in real-world attacks, highlighting the importance of maintaining updated firmware.
Separately, Zyxel recently addressed concerns regarding older, end-of-life router models. The company confirmed it will not release patches for two zero-day vulnerabilities, CVE-2024-40891 and CVE-2024-40892, which are affecting these legacy products. Instead, Zyxel strongly recommends that customers replace outdated hardware with newer, supported models to ensure continued security protection. The affected devices, such as the VMG1312 and SBG3300 series, have been out of active support for several years but can still be found for sale through various online retailers.
With Zyxel claiming over a million business customers globally, the security of its product ecosystem is of significant importance. Regular updates and proactive replacement of obsolete hardware remain the most effective strategies for organizations and individuals to defend against evolving cyber threats targeting network infrastructure.
(Source: Bleeping Computer)
