In a security advisory Zyxel released updates to fix a critical UPnP command injection tracked as CVE-2025-13942 that can allow unauthenticated attackers to execute operating system commands on more than a dozen router and CPE models.
KEY FACTS
- Incident Critical UPnP command injection tracked as CVE-2025-13942
- Affected function UPnP SOAP handling on 4G LTE and 5G NR CPE, DSL and Ethernet CPE, Fiber ONTs and wireless extenders
- Access required Both UPnP and WAN access must be enabled for remote exploitation
- Internet exposure Nearly 120,000 devices visible on a Shadowserver dashboard, including over 76,000 routers
The flaw is a command injection in the UPnP implementation that can be triggered by specially crafted SOAP requests to run OS commands on affected devices.
Successful exploitation requires both UPnP and WAN access to be enabled. WAN access is disabled by default on the devices, which limits remote risk where default settings are retained.
The advisory also notes patches for two high severity post authentication command injection issues, CVE-2025-13943 and CVE-2026-1459, which require valid credentials to exploit.
Patches are available for affected models and users are urged to apply updates. Legacy products that have reached end of life should be replaced because they will not receive fixes.
WHY IT MATTERS
The vulnerability can allow remote command execution on unpatched devices if WAN access and the vulnerable UPnP function are enabled. Applying the supplied updates or replacing unsupported hardware reduces the risk.