Critical Zyxel Router Flaw Exposed Devices to Remote Attacks

A recent vulnerability discovered in multiple Zyxel router models has left thousands of devices exposed to remote attacks, highlighting the importance of regular firmware updates and robust cybersecurity measures. The critical flaw, tracked as CVE-2025-13942 (CVSS score of 9.8), was identified by researchers Tiantai Zhang from Purdue University and Víctor Fresco (@hacefresko) through extensive security testing. In this article, we'll delve into the details of the vulnerability, its impact on affected devices, and what users can do to protect themselves.

The vulnerability is a command injection flaw in the UPnP feature of several Zyxel CPEs (Customer Premises Equipment), Fiber ONTs (Optical Network Terminals), and wireless extenders. This allows unauthenticated attackers to remotely execute commands on vulnerable devices, potentially leading to unauthorized access, data theft, or even system compromise.

The attack vector requires both WAN (Wide Area Network) access and the vulnerable UPnP function to be enabled, with WAN access disabled by default. According to Zyxel's advisory, remote exploitation of this vulnerability can only occur if both conditions are met, which limits its potential impact but still poses a significant threat to unsuspecting users.

Several Zyxel router models have been affected by this vulnerability, including DX5401-B1, EMG3525-T50B, EMG5523-T50B, VMG3625-T50B/C, and VMG8623-T50B running specified firmware versions and earlier. Fortunately, Zyxel plans to release patched firmware versions for all impacted models in March 2026, ensuring that users can update their devices and patch the vulnerability before it's exploited.

In addition to the UPnP feature vulnerability, researchers have discovered several other critical flaws affecting multiple Zyxel CPEs, Fiber ONTs, security routers, and wireless extenders. These include CVE-2025-11847 and CVE-2025-11848, which are null pointer dereference flaws in IP settings and Wake-on-LAN CGI components, respectively. Successful exploitation of these vulnerabilities can lead to denial-of-service attacks via crafted HTTP requests.

Furthermore, CVE-2026-1459 is a post-authentication command injection bug in log download and TR-369 certificate functions, allowing OS command execution. While WAN access remains disabled by default, compromised administrator credentials are required for successful exploitation of these vulnerabilities.

It's essential to note that the researcher Tiantai Zhang from Purdue University played a crucial role in disclosing the vulnerabilities CVE-2025-11845, CVE-2025-11846, CVE-2025-11847, and CVE-2025-11848. Meanwhile, Víctor Fresco (@hacefresko) reported the flaws CVE-2025-13942 and CVE-2025-13943, while Watchful IP disclosed the flaw CVE-2026-1459.

Given the severity of this vulnerability, it's crucial that users update their affected routers immediately to prevent exploitation. Regular firmware updates, strong passwords, and robust network security measures can help protect devices from such attacks. As cybersecurity threats continue to evolve, it's essential to stay vigilant and up-to-date on the latest vulnerabilities and patches.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon for the latest cybersecurity news and updates.

Conclusion:

The recent discovery of critical Zyxel router flaws highlights the importance of regular firmware updates, robust network security measures, and vigilance in protecting devices from remote attacks. By staying informed about emerging vulnerabilities and taking proactive steps to patch them, users can significantly reduce their risk of falling prey to such attacks.