CVE-2025-13942 – Zyxel Networking Firmware Command Injection & Remote Code Execution Fixes

Zyxel has released firmware updates addressing three serious command injection vulnerabilities affecting various 4G/5G CPEs, gateways, routers, and related networking devices. The most severe, CVE-2025-13942, carries a CVSS v3.1 score of 9.8 (Critical). This vulnerability exists in the UPnP service and can allow an unauthenticated remote attacker to execute arbitrary operating system commands when both UPnP and WAN access are enabled. Proof-of-concept code has been published, demonstrating real exploitation risk in exposed environments.

The second issue, CVE-2025-13943, is rated High severity with a CVSS v3.1 score of 8.8. It affects the log file download function and allows an authenticated user to inject and execute system commands. This could enable privilege escalation and deeper device compromise.

The third vulnerability, CVE-2026-1459, has a CVSS v3.1 score of 7.2 (High) and impacts the TR-369 certificate download CGI interface. An authenticated attacker could exploit improper input handling to execute arbitrary commands, potentially disrupting services or pivoting further into the network.

Zyxel has released updated firmware versions that correct input validation and harden command handling. Devices that are end-of-life and not receiving updates remain exposed.