Zyxel warns of critical RCE flaw affecting over a dozen routers

Zyxel released patches for critical command-injection vulnerabilities affecting multiple 4G/5G CPEs, DSL/Ethernet CPEs, Fiber ONTs and wireless extenders (notably CVE-2025-13942), which allow OS command execution via crafted UPnP SOAP requests; successful remote exploitation requires UPnP and WAN access to be enabled. The vendor also patched high-severity post-auth command-injection flaws, while Shadowserver reports roughly 120,000 Zyxel devices exposed online and CISA tracks numerous Zyxel vulnerabilities, with some end-of-life devices remaining unpatchable and actively exploited.