Zyxel Vulnerabilities Allow Remote Attackers to Execute Commands via Command Injection

Zyxel issued security advisories and firmware updates for multiple vulnerabilities affecting various CPE and router products, highlighted by a critical CVE-2025-13942 UPnP command injection (CVSS 9.8) that can allow unauthenticated remote OS command execution if WAN access and UPnP are manually enabled; other CVEs include authenticated command injections and admin-authenticated null-pointer dereference DoS issues. Users are advised to apply vendor firmware updates, keep WAN access disabled by default, and contact ISPs for provider-supplied devices.