Zyxel Devices Affected by Post-Authentication Command Injection and Service Disruption

EXECUTIVE SUMMARY:

A vulnerability in multiple Zyxel networking devices including 4G 5G CPEs, DSL Ethernet routers, Fiber ONTs, and wireless extenders has been identified that allows remote attackers to execute arbitrary operating system commands on affected products via a flaw in the Universal Plug and Play (UPnP) service. The issue stems from improper input handling in the UPnP SOAP request processing, which can be exploited without authentication if both WAN access and UPnP are manually enabled on the device. Successful exploitation could lead to full device compromise, enabling attackers to manipulate network traffic, deploy further malware, pivot deeper into local networks, or disrupt services. Zyxel has released firmware updates to address this and additional command injection and information‑disclosure bugs, and affected users are advised to apply patches immediately, disable unused UPnP and WAN services, and enforce strong credentials to mitigate risk.[emaillocker id="1283"]

• CVE-2025-13942: It is a command injection vulnerability in Zyxel devices UPnP service, allowing remote attackers to execute arbitrary operating system commands. It affects multiple Zyxel devices including 4G 5G CPEs, DSL Ethernet routers, Fiber ONTs, and wireless extenders. The vulnerability has a CVSS score of 9.8.
• CVE-2025-13943: It is a post‑authentication command injection vulnerability in Zyxel EX3301‑T0 devices, allowing authenticated attackers to execute arbitrary OS commands. Exploitation can lead to full device compromise, including unauthorized access, configuration changes, and service disruption. The vulnerability has a CVSS score of 8.8.
• CVE-2026-1459: It is a post‑authentication command injection vulnerability in Zyxel VMG3625‑T50B devices, allowing authenticated admin users to execute arbitrary OS commands. Successful attack could allow attackers to execute malicious commands, manipulate device functions, or gain deeper network access. The vulnerability has a CVSS score of 7.2.
• CVE-2025-11845: It is a null pointer dereference vulnerability in the certificate downloader CGI program of affected Zyxel VMG3625‑T50B and WX3100‑T0 firmware versions, allowing an authenticated admin user to trigger a denial‑of‑service condition by sending a crafted HTTP request. The vulnerability has a CVSS score of 4.9.
• CVE-2025-11846: It is a null pointer dereference vulnerability in the account settings CGI program of Zyxel VMG3625‑T50B and WX3100‑T0 firmware versions that could allow an authenticated admin user to trigger a denial‑of‑service by sending a crafted HTTP request. The vulnerability has a CVSS score of 4.9.
• CVE-2026-11847: It is a null pointer dereference vulnerability in the IP settings CGI program of Zyxel VMG3625‑T50B and WX3100‑T0 firmware, which could allow an authenticated admin user to trigger a denial‑of‑service condition by sending a specially crafted HTTP request. The vulnerability has a CVSS score of 4.9.

RECOMMENDATION

• We strongly recommend you update Zyxel products to below link:
  https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-null-pointer-dereference-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-02-24-2026

REFERENCES:

The following reports contain further technical details:

https://securityonline.info/total-takeover-critical-zyxel-flaw-cvss-9-8-exposes-routers-to-remote-command-injection/