U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Critical Zyxel router flaw exposed devices to remote attacks

Zyxel fixed a critical flaw in multiple routers that lets unauthenticated attackers remotely execute commands on vulnerable devices. Zyxel addressed a critical remote code execution vulnerability, tracked as CVE-2025-13942 (CVSS score of 9.8), affecting more than a dozen router models. A command injection flaw in the UPnP feature of several Zyxel CPEs, Fiber ONTs, and […]

zyxel Mirai

Zyxel fixed a critical flaw in multiple routers that lets unauthenticated attackers remotely execute commands on vulnerable devices.

Zyxel addressed a critical remote code execution vulnerability, tracked as CVE-2025-13942 (CVSS score of 9.8), affecting more than a dozen router models.

A command injection flaw in the UPnP feature of several Zyxel CPEs, Fiber ONTs, and wireless extenders lets attackers run OS commands via crafted UPnP requests. Remote exploitation requires both WAN access and the vulnerable UPnP function to be enabled, as WAN access is disabled by default.

“A command injection vulnerability in the UPnP function of certain 4G LTE/5G NR CPE, DSL/Ethernet CPE, Fiber ONTs, and Wireless Extenders firmware versions could allow a remote attacker to execute operating system (OS) commands on an affected device by sending specially crafted UPnP SOAP requests.” reads the advisory published by the vendor. “It is important to note that WAN access is disabled by default on these devices, and the attack can be carried out remotely only if both WAN access and the vulnerable UPnP function have been enabled.”

CVE-2026-1459 affects several Zyxel DSL/Ethernet CPE router models, including DX5401-B1, EMG3525-T50B, EMG5523-T50B, VMG3625-T50B/C, and VMG8623-T50B running specified firmware versions and earlier. Zyxel plans to release patched firmware versions for all impacted models in March 2026.

The Taiwanese manufacturer also addressed other vulnerabilities affecting multiple Zyxel CPEs, Fiber ONTs, security routers, and wireless extenders. CVE-2025-11847 and CVE-2025-11848 are null pointer dereference flaws in IP settings and Wake-on-LAN CGI components that allow authenticated administrators to trigger a denial-of-service via crafted HTTP requests. CVE-2025-13943 and CVE-2026-1459 are post-authentication command injection bugs in log download and TR-369 certificate functions, enabling OS command execution. In all cases, WAN access remains disabled by default, and successful exploitation requires compromised administrator credentials.

The researcher Tiantai Zhang from Purdue University disclosed the vulnerabilities CVE-2025-11845, CVE-2025-11846, CVE-2025-11847, and CVE-2025-11848.

Víctor Fresco (@hacefresko) reported the flaws CVE-2025-13942 and CVE-2025-13943, while Watchful IP disclosed the flaw CVE-2026-1459.

Users are urged to update affected routers immediately to prevent exploitation.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Zyxel)