Zyxel Routers CVE-2025-13942: Unauthenticated RCE Affects 120,000 Exposed Devices — Patch Now

The Vulnerabilities

Zyxel disclosed three vulnerabilities in CPE-class routers on February 25, 2026:

CVE-2025-13942 — Unauthenticated RCE (Critical)

Command injection via UPnP SOAP requests when both WAN management access and UPnP are enabled. An unauthenticated attacker on the internet can send a crafted UPnP SOAP request to the router's WAN-facing UPnP port and achieve remote code execution as root.

Prerequisites: WAN management access enabled (non-default) AND UPnP enabled (default on many models). Neither is required for normal home use — but many devices are configured this way.

CVSS: Critical — network-accessible, no authentication, no user interaction.

CVE-2025-13943 — Post-Authentication Command Injection (High)

Command injection in the web management interface, exploitable by an authenticated attacker. Once an attacker has valid credentials (via brute force, credential stuffing, or credential theft), this vulnerability provides a path to shell access on the device.

CVE-2026-1459 — Post-Authentication Command Injection (High)

A second post-authentication command injection vulnerability in a different management function. Same exploitation requirement as CVE-2025-13943: valid credentials needed. High severity rather than critical due to the authentication requirement, but in practice most home routers retain default credentials.

In a real-world attack chain, CVE-2025-13942 provides the initial unauthenticated foothold. CVE-2025-13943 and CVE-2026-1459 provide additional exploitation paths for the authenticated stage and may be useful in scenarios where UPnP is disabled but WAN access is open.

Affected Models

The vulnerabilities affect more than 12 Zyxel product families across the consumer and small business segments:

• 4G LTE series (multiple models)
• 5G NR series (multiple models)
• DSL/Ethernet CPE series
• Fiber ONTs (Optical Network Terminals)
• Wireless extenders

The full affected model list is published in Zyxel's security advisory. If you have a Zyxel router and don't know the model name, check the label on the underside of the device — it will show the model number, which you can cross-reference against Zyxel's advisory.

If your broadband router was supplied by your ISP and you've never changed it, there is a reasonable chance it's a Zyxel device. Zyxel is one of the largest OEM suppliers of CPE hardware to European ISPs, including providers in Ireland and the United Kingdom. ISP-branded devices often carry the ISP's logo but use Zyxel hardware underneath — check the device label or the admin panel's "About" section to confirm the manufacturer.

Scale of Exposure

Shadowserver's internet scan data shows approximately 120,000 Zyxel devices with internet-exposed interfaces at the time of disclosure. The more specific figure cited in the disclosure is 76,000+ routers with UPnP accessible from the internet — the subset directly vulnerable to CVE-2025-13942 (unauthenticated RCE).

76,000 internet-exposed routers with an unauthenticated RCE vulnerability is a significant attack surface. For comparison:

• A botnet operator scanning the internet for this vulnerability can identify and compromise a substantial fraction of these devices within hours of exploit availability
• Home router compromises are commonly used for botnet node recruitment (DDoS traffic), residential proxy infrastructure (for bypassing geo-restrictions and anti-fraud checks), and as staging posts for targeting the network behind the router (home office laptops, NAS devices, IoT)
• The devices are geographically distributed across ISP subscriber bases — harder to remediate centrally than a single enterprise network

What to Do

Immediate: Apply Firmware Update

Zyxel released firmware updates on February 25, 2026 for all affected models. Update your router firmware immediately via the admin panel (usually accessible at 192.168.1.1 or 192.168.0.1). The firmware update page is typically under Administration → Firmware Upgrade or Maintenance → Firmware.

If you received your router from an ISP, check whether automatic firmware updates are enabled — some ISP-configured devices push updates automatically, others require manual action. Check the firmware version in your admin panel and compare against Zyxel's advisory to confirm you're on the patched version.

Immediate: Check WAN Management Access

CVE-2025-13942 (unauthenticated RCE) requires WAN management access to be enabled. This is not the default on most home router configurations, but it is sometimes enabled by ISPs for remote support purposes or by users who want to manage their router remotely.

Check: Administration → Remote Management or Administration → Services → Remote Access. If WAN management is enabled and you don't need remote access to your router from outside your home network, disable it now. This eliminates the unauthenticated attack vector even before you apply the patch.

Immediate: Check UPnP Status

UPnP is the second prerequisite for CVE-2025-13942. It is enabled by default on many consumer routers. Check: Network → UPnP or Advanced → UPnP. If you don't specifically need UPnP (and most users don't — it's only required by a small number of gaming consoles and older media devices), disable it. This is good security practice regardless of this specific vulnerability.

Change Default Credentials

CVE-2025-13943 and CVE-2026-1459 require valid credentials. If your router admin password is still the default from the ISP or factory, change it now. Default router credentials (admin/admin, admin/password, admin/1234) are in every attacker wordlist. A compromised router gives the attacker a position on your home network with visibility to all your traffic.

For Bug Bounty Hunters and Pentesters

Router CPE vulnerabilities are a productive class of bug for several reasons:

• Slow patch deployment: Even when patches are available, consumer and ISP-distributed router firmware takes months or years to reach all devices. The 120,000 exposed Zyxel devices in today's Shadowserver data will not all be patched within 30 days.
• Vendor bounty programs: Zyxel runs a responsible disclosure program at zyxel.com. If you find additional vulnerabilities in Zyxel products, coordinated disclosure through their program can result in CVE attribution and public credit.
• ISP CPE as attack surface: If you're engaged in a penetration test of an organisation whose remote workers use ISP-supplied broadband, compromised home routers can be in-scope as a path to the employee's home office network and VPN-connected corporate resources. Check scope carefully — but it's a realistic attack chain.

For UPnP specifically: the attack surface is well-documented but often under-tested. Tools like Miranda (the UPnP exploitation framework) and the `upnp` module in Metasploit provide a starting point for testing UPnP exposure. In a home or small office environment where network devices auto-discover each other via UPnP, a single compromised IoT device can leverage UPnP to open firewall ports and establish direct inbound access to the network.

Context: This Week in Home Router Security

CVE-2025-13942 lands in the same week as the Cisco SD-WAN CVE-2026-20127 (CVSS 10.0, CISA Emergency Directive). The parallel between enterprise network infrastructure (SD-WAN management planes) and consumer network infrastructure (home router CPE) is instructive: both categories are frequently internet-exposed, often running old firmware, and can be exploited without authentication.

The difference is scale and visibility. Enterprise SD-WAN administrators have a SOC, vulnerability management processes, and CISA advisories demanding action. Home router users generally have none of these. The 76,000 Zyxel routers exposed with UPnP will take far longer to patch than the few hundred Cisco SD-WAN deployments under CISA's Emergency Directive.

From a threat landscape perspective: residential and ISP CPE vulnerabilities are a persistent and underserved area of security research. The patch gap is wide, the installed base is enormous, and the downstream impact of compromised residential infrastructure reaches into every home office, every remote worker's environment, and every consumer IoT network.

Frequently Asked Questions