Zyxel devices are affected by critical vulnerabilities that allow attackers to execute remote code.
Zyxel has released security updates for a critical vulnerability that allows unauthenticated remote attackers to execute system commands.
Remote code execution via UPnP leak
The vulnerability (CVE-2025-13942) is located in the UPnP function of certain 4G/5G CPE models, DSL and fiber routers, and Wi-Fi extenders. According to Zyxel, attackers can execute OS commands on vulnerable devices via UPnP SOAP requests.
The impact is more limited than the severity score suggests. For successful exploitation, both UPnP and WAN access must be enabled. WAN access is disabled by default, Zyxel writes in a security advisory.
In addition, two other critical vulnerabilities (CVE-2025-13943 and CVE-2026-1459) have been patched that allow exploitation if an attacker already possesses valid login credentials, reports Bleeping Computer.
Thousands of devices accessible online
According to Shadowserver, nearly 120,000 devices are accessible via the internet, including more than 76,000 routers. Approximately 10,800 of these are located in France, followed by 2,000 in the Netherlands and 205 in Belgium. Zyxel equipment is often supplied by default by internet service providers, making it an attractive target.
Zyxel advises customers to install patches as soon as possible and to disable unnecessary WAN and UPnP access.