Critical Zyxel router flaw exposed devices to remote attacks

Zyxel addressed a critical UPnP command-injection vulnerability (CVE-2025-13942, CVSS 9.8) impacting multiple CPEs, Fiber ONTs, and wireless extenders that can enable remote OS command execution when WAN access and the vulnerable UPnP function are enabled; the vendor published advisories, disclosed related null-pointer and post-auth command-injection flaws, and plans firmware updates, and users are urged to update affected devices immediately.