Zyxel Patches Critical Vulnerability Affecting Multiple Router Models

Zyxel has released security patches for a critical command injection vulnerability that affects multiple router and network device models used across Nordic businesses. The vulnerability, designated CVE-2025-13942, carries a maximum CVSS severity score of 9.8 out of 10 and enables remote code execution through Universal Plug and Play (UPnP) protocols [1].

The security flaw affects various Zyxel device categories including DSL and Ethernet routers, 4G LTE and 5G network equipment, fibre optical network terminals, and wireless extenders commonly deployed in Swedish and Nordic enterprise environments. Approximately 120,000 Zyxel devices remain exposed to internet traffic, creating potential entry points for cybercriminals [2].

Technical Impact and Attack Methods

Unauthenticated attackers can exploit this vulnerability by sending specially crafted UPnP SOAP requests to affected devices. The attack requires WAN access to be enabled on the target device, which is a common configuration in many business networks [3].

Security researchers have not reported active exploitation of CVE-2025-13942 in the wild. However, the U.S. Cybersecurity and Infrastructure Security Agency continues monitoring 12 separate Zyxel vulnerabilities that cybercriminals are actively exploiting [1].

A second vulnerability, CVE-2026-1459, was also addressed in the same security update. Zyxel has confirmed that successful exploitation could allow attackers to execute operating system commands remotely, potentially leading to complete device compromise [4].

Affected Device Models

The vulnerability impacts several product lines commonly used in Nordic business environments:

• DSL and Ethernet CPE router models
• 4G LTE and 5G NR customer premises equipment
• Fibre optical network terminals
• Wireless range extenders and access points

Zyxel has published a comprehensive list of affected model numbers and corresponding firmware versions on their security advisory portal ^[1].

Regional Security Implications

Nordic organisations rely heavily on Zyxel networking equipment for both office connectivity and remote work infrastructure. The vulnerability poses particular risks for Swedish companies operating distributed networks or supporting hybrid work arrangements [2].

The timing coincides with increased cybercriminal focus on network infrastructure vulnerabilities across European markets. Security agencies across Nordic countries have observed sustained targeting of business networking equipment throughout 2024 [3].

What Organisations Should Do

IT departments should immediately identify all Zyxel devices within their networks and apply the latest firmware updates released by the manufacturer. Network administrators can download patches directly from Zyxel’s support portal using device model numbers and current firmware versions [1].

Organisations unable to patch immediately should consider disabling WAN access on affected devices where remote management is not required. Network monitoring systems should be configured to detect unusual UPnP traffic patterns that could indicate exploitation attempts [4].

Security teams should also review their asset inventories to ensure all network devices receive timely security updates as part of standard vulnerability management processes.

References

1. Zyxel Patches Critical Vulnerability in Many Device Models
2. Zyxel warns of critical RCE flaw affecting over a dozen routers
3. Zyxel patches critical command injection vulnerability in routers
4. Zyxel warns over a dozen routers affected by critical security flaw

For strategic cybersecurity guidance and vulnerability management support, contact eBuilder Security.