Zyxel Issues Patch for Critical UPnP RCE Affecting Routers
🔐 Zyxel has released updates for a critical UPnP command-injection flaw tracked as CVE-2025-13942 that can allow unauthenticated remote attackers to execute operating system commands on affected routers, CPEs, ONTs, and extenders. Successful exploitation requires both UPnP and WAN access to be enabled; WAN access is disabled by default on these devices. Zyxel also patched two high-severity post-authentication command-injection bugs (CVE-2025-13943, CVE-2026-1459) and strongly urges administrators to apply firmware updates promptly.
