Zyxel has released critical security patches for CVE-2025-13942, a command injection vulnerability affecting various router models including 4G LTE/5G NR CPE, Fiber ONTs, and wireless extenders. The flaw resides in the UPnP function and allows unauthenticated remote attackers to execute operating system commands via specifically crafted SOAP requests.
While the vulnerability is rated as critical, exploitation is limited by the fact that it requires both UPnP and WAN access to be enabled, the latter of which is disabled by default. Zyxel also addressed additional high-severity flaws and warned that several legacy end-of-life models will not be patched, urging users to replace aging hardware to maintain security.
Top comments (0)