Total Takeover: Critical Zyxel Flaw (CVSS 9.8) Exposes Routers to Remote Command Injection

Networking giant Zyxel has rolled out a wave of urgent security patches addressing multiple vulnerabilities across its fleet of 4G LTE/5G NR CPEs, DSL/Ethernet routers, Fiber ONTs, and Wireless Extenders. While the update covers a mix of denial-of-service (DoS) and command injection bugs, one critical flaw stands out, threatening to give remote attackers complete control over affected devices.

Users are strongly advised to install the newly released patches to maintain optimal protection against potential remote code execution and service disruptions.

The most severe vulnerability in the advisory is CVE-2025-13942, carrying a near-maximum CVSS score of 9.8. This critical flaw resides in the Universal Plug and Play (UPnP) function of the affected telecommunications equipment.

If successfully exploited, the vulnerability allows an attacker to bypass authentication entirely and take over the system.

“A command injection vulnerability in the UPnP function of certain 4G LTE/5G NR CPE, DSL/Ethernet CPE, Fiber ONTs, and Wireless Extenders firmware versions could allow a remote attacker to execute operating system (OS) commands on an affected device by sending specially crafted UPnP SOAP requests.” — Zyxel Security Advisory

Fortunately for many users, mass exploitation of this flaw from the public internet is hindered by default device configurations. Zyxel emphasizes that “WAN access is disabled by default on these devices,” meaning an attacker can only execute this remote attack if the user has manually enabled both WAN access and the vulnerable UPnP feature.

The advisory also details two highly severe post-authentication command injection flaws. While these require an attacker to already have some level of access, the impact remains devastating for compromised networks:

CVE-2025-13943 (CVSS 8.8): Found in the log file download function, this flaw allows an authenticated attacker to execute arbitrary OS commands.

CVE-2026-1459 (CVSS 7.2): Located within the TR-369 certificate download CGI program, this vulnerability allows an authenticated user with administrator privileges to inject malicious commands.

Just like the UPnP flaw, external exploitation is mitigated by default settings. As the advisory notes, “It is important to note that WAN access is disabled by default on these devices, and this attack can only succeed if user-configured passwords have been compromised.”

Rounding out the patch release are three Denial-of-Service vulnerabilities (CVE-2025-11845, CVE-2025-11846, and CVE-2025-11847), each carrying a moderate CVSS score of 4.9.

These flaws stem from “null pointer dereference” issues within various CGI programs, including the certificate downloader and account settings. An authenticated attacker with administrator privileges could send a crafted HTTP request to trigger these vulnerabilities, effectively crashing the device and causing a DoS condition.

Administrators and home users of affected Zyxel devices are urged to apply the latest firmware patches immediately. In addition to patching, organizations should follow the principle of least privilege: ensure that remote WAN access is disabled unless strictly necessary, disable unused UPnP services, and enforce strong, unique passwords to prevent attackers from leveraging the post-authentication flaws.