ZYXEL has issued patches for a critical vulnerability across dozens of device models, centred on the UPnP function and capable of remote code execution. The flaw, tracked as CVE-2025-13942 with a CVSS score of 9.8, affects 18 routers, ONTs and wireless extenders, and could be exploited via crafted UPnP SOAP requests to run OS commands on a vulnerable device, according to Zyxel.
In addition, Zyxel patched CVE-2025-13943 and CVE-2026-1459, two high-severity command-injection defects that could allow an authenticated attacker to execute OS commands by abusing the log file download function and the TR-369 certificate download CGI program on specific firmware versions. The company also released fixes for four null pointer dereference vulnerabilities that could enable denial-of-service conditions when WAN access is enabled and an attacker possesses compromised credentials.
Zyxel has published a list of impacted devices and notes firmware updates are available for all of them; it also warns that threat actors are known to have targeted Zyxel bugs in attacks, though none are reported as exploited in the wild. 26 February 2026.