A critical vulnerability in several models of Zyxel routers and network devices has forced the company to publish security updates this month. The failure, recorded as CVE-2025-13942, allows the injection of commands through UPnP functionality, which at worst could give an attacker the ability to execute operating system orders on a computer without authentication.
According to Zyxel itself, the problem is in the processing of UPnP SOAP applications in a wide range of products, including CPE 4G LTE / 5G NR, CPE DSL / Ethernet, fiber ONT and wireless extenders. An attacker who sends manipulated UPnP messages could take advantage of this weakness to cause remote execution of commands on vulnerable devices; Zyxel explains in more detail the conditions and versions affected in his technical notice, available on his official website: Zyxel Security Advisory.
It is important to mitigate the real scope of the risk. For the operation to be remotely viable, two conditions are required: that UPnP is active in the device and that there is WAN access to the UPnP service. Zyxel indicates that the WAN access is deactivated by default in your equipment, so in many cases the practical exposure will be lower than that which suggests the theoretical severity of the failure. However, in networks where a supplier or user itself has activated remote access or UPnP, the danger is real.
Apart from this failure, Zyxel published corrections for two other high-gravity vulnerabilities that require valid credentials to be exploited: CVE-2025-13943 and CVE-2026-1459. Both would allow an attacker with authenticated access to run commands on the device system, so they also deserve immediate attention from responsible administrators and users.
The scale of the Zyxel ecosystem aggravates the situation: projects to track devices exposed to the Internet such as Shadowserver record almost 120,000 Zyxel teams of which more than 76,000 are routers. This presence is partly explained by the fact that many service providers deliver these equipment as "plug-and-play" when hiring a connection, with default configurations that do not always minimize the risk.
In addition, the United States Agency for Cyber Security and Infrastructure (CISA) maintains in its catalogue many Zyxel vulnerabilities that have been actively exploited. In your public register you can check the related entries and check which ones are listed as "well-known exploited": CISA Known Exploited Vulnerabilities.
Another point to be recalled is the management of the life cycle of the teams. Zyxel has recognized that certain old models will no longer receive patches for zero-state (zero-days) exploited vulnerabilities and has recommended that users replace these EOL (end-of-life) equipment with more recent alternatives that are updated. If the manufacturer does not provide correction for a device, the only real long-term defense is to replace the hardware with one with current support.
From a practical perspective, the first and most urgent recommendation is the usual in these cases: install firmware updates published by Zyxel as soon as possible. If you cannot update immediately, it is appropriate to check and, if appropriate, disable UPnP and remote access from the WAN in the computer configuration. It is also a good idea to change the default credentials, to segment the network to isolate the router of critical devices and, in business environments, to monitor traffic and logs by signs of unusual behavior.
If your modem or router provided it to you by your operator and you do not know how to access the management panel or apply the update, contact the supplier's technical service: many operators manage the updates remotely or can replace obsolete equipment. For business environments, where exposure can involve critical assets, it is worth having a response plan and reviewing inventory and hardware renewal policies.
The case of Zyxel illustrates a recurring lesson in the safety of domestic networks and small businesses: devices widely deployed and configured by default become priority targets for attackers. Although not all users will be at immediate risk for operating conditions, the public availability of these failures and the number of devices exposed justify a proactive reaction.
For those who want to consult the primary sources and deepen the technical details and official mitigation, here are the links to the above-mentioned notices and records: Zyxel's notice of these vulnerabilities is on your website, individual EQs can be reviewed in the public database of EQs ( CVE-2025-13942, CVE-2025-13943, CVE-2026-1459), and the monitoring of our exposed surface can be confirmed with projects such as Shadowserver and the list of exploited vulnerabilities of CISA.
In short, the existence of patches already available is good news, but the massive presence of Zyxel devices in networks around the world and the decision not to update old hardware require active measures: update when possible, disable unnecessary functions such as UPnP and remote WAN access, and replace EOL equipment to reduce the exposure window.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...