ZYXEL has fixed a critical remote code execution flaw affecting more than a dozen router models, tracked as CVE-2025-13942 with a CVSS of 9.8, enabling unauthenticated attackers to run OS commands via crafted UPnP requests. The vulnerability resides in the UPnP feature of several CPEs, Fiber ONTs and wireless extenders, and exploitation requires both WAN access and the vulnerable UPnP function to be enabled, noting that WAN access is disabled by default.
Affected models include DX5401-B1, EMG3525-T50B, EMG5523-T50B, VMG3625-T50B/C, and VMG8623-T50B, with firmware versions specified in the Zyxel advisory. Zyxel plans to release patched firmware for all impacted models in March 2026.
The vendor also addressed additional flaws, including CVE-2025-11847 and CVE-2025-11848 (null pointer dereference in IP settings and Wake-on-LAN CGI components) and post-authentication command injection bugs CVE-2025-13943 and CVE-2026-1459, which require compromised administrator credentials to exploit. Researchers Tiantai Zhang from Purdue University and Víctor Fresco reported several of the CVEs, while Watchful IP disclosed CVE-2026-1459; users are urged to update affected devices promptly.