These flaws expose devices to denial-of-service (DoS) crashes and remote command injection, potentially allowing attackers to seize control.
The most alarming is CVE-2025-13942, a critical command injection bug with a CVSS v3.1 score of 9.8.
It affects the UPnP (Universal Plug and Play) service, enabling unauthenticated remote exploitation if WAN access and UPnP are manually enabled configurations not enabled by default, but common in misconfigured home or small office setups.
| CVE ID | Severity (CVSS) | Vulnerability Type | Attack Vector | Impact |
|---|---|---|---|---|
| CVE-2025-13942 | Critical (9.8) | Command Injection | Remote (UPnP) | OS Command Execution |
| CVE-2025-13943 | High | Command Injection | Authenticated User | OS Command Execution |
| CVE-2026-1459 | High (7.2) | Command Injection | Authenticated Admin | OS Command Execution |
| CVE-2025-11845 to 11848 | Medium (4.9) | Null Pointer Dereference | Authenticated Admin | Denial-of-Service (DoS) |
CVE-2025-13942 stems from improper input validation in UPnP’s SOAP handling. An attacker sends malformed SOAP requests over the WAN, injecting arbitrary OS commands without authentication.
This could lead to full router compromise, data exfiltration, or pivot attacks into local networks. CVSS metrics highlight its exploitability: Attack Complexity Low, Privileges Required None, User Interaction None.
Sibling flaws CVE-2025-13943 and CVE-2026-1459 require authenticated access at the user-level for the former, admin-level for the latter, but still enable command execution via crafted inputs in web interfaces. Note: Patches for CVE-2026-1459 arrive in March 2026.
Four medium-severity issues (CVE-2025-11845–11848) lurk in various CGI endpoints. Authenticated admins can trigger crashes by sending HTTP requests that dereference null pointers, causing service reboots or outages.
CVSS scores of 4.9 reflect low remote impact since WAN access is off by default, but compromised credentials amplify the threat.
Zyxel provides firmware for most models immediately; check the advisory for your device (e.g., NR5103, VMG Series).
Disable WAN management and UPnP unless essential. Use strong, unique admin passwords and monitor logs for anomalies.
Follow us on Google News, LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post Critical Zyxel Router Vulnerabilities Allow Remote Command Injection Attacks appeared first on Cyber Security News.
Commissioner of Homeland Security Jeff Long, left, seated next to Tennessee Highway Patrol Col. Matt…
Gov. Bill Lee's administration has proposed a disaster assistance fund -- initially created by the…
Amazon is going through something of a massive restocking mission this week for Pokémon cards,…
Amazon is going through something of a massive restocking mission this week for Pokémon cards,…
Magic: The Gathering has kicked off its Teenage Mutant Ninja Turtles set prerelease weekend, but…
The much-delayed Spider-Man: Beyond the Spider-Verse currently has a June 18, 2027 release date. If…
This website uses cookies.