Zyxel Patches Multiple Flaws Including a Remote Code Execution Vulnerability in Multiple Router Models
Take action: If you are using Zyxel devices, review this advisory. Then update your Zyxel equipment if it's listed as affected. If your hardware is end-of-life and no longer supported, plan a quick replacement. These flaws will be exploited very soon.
Learn More
Taiwanese networking provider Zyxel released security updates for a massive number of router models to fix a multiple flaws including a remote code execution (RCE) flaw.
Vulnerabilities summary:
- CVE-2025-13942 (CVSS score 9.8) - A command injection vulnerability in the UPnP function that allows unauthenticated remote code execution. Attackers send maliciously crafted UPnP SOAP requests to the device to run operating system commands. This bypasses authentication entirely, though it requires the non-default WAN access setting to be enabled alongside UPnP.
- Affected models: LTE3301-PLUS, NR7101, Nebula LTE3301-PLUS, Nebula NR7101, DX4510-B0/B1, EE6510-10, EMG6726-B10A, EX2210-T0, EX3510-B0/B1, EX5510-B0, EX5512-T0, EX7710-B0, VMG4927-B50A, PX3321-T1, PX5301-T0, WX5610-B0.
- CVE-2025-13943 (CVSS score 8.8) - A post-authentication command injection vulnerability found in the log file download function. An attacker with valid credentials can inject commands into the download process to execute arbitrary code on the underlying OS. This allows a compromised account to escalate privileges and gain full system control.
- Affected models: DM4200-B0, DX3300-T0/T1, DX3301-T0, DX4510-B0/B1, DX5401-B1, EE3301-00, EE5301-00, EE6510-10, EMG3525-T50B, EMG5523-T50B, EMG6726-B10A, EX2210-T0, EX3300-T0/T1, EX3301-T0, EX3500-T0, EX3501-T0, EX3510-B0/B1, EX3600-T0, EX5401-B1, EX5510-B0, EX5512-T0, EX5601-T0/T1, EX7501-B0, EX7710-B0, GM4100-B0, VMG3625-T50B, VMG4005-B50A/B60A, VMG4927-B50A, VMG8623-T50B, AM7510-00, AX7501-B1, PE3301-00, PE5301-01, PM3100-T0, PM5100-T0/T1, PM7300-T0, PM7500-00, PX3321-T1, PX5301-T0, WE3300-00, WE4600-00, WX3100-T0, WX3401-B1, WX5600-T0, WX5610-B0.
- CVE-2026-1459 (CVSS score 8.8) - A post-authentication command injection vulnerability in the TR-369 certificate download CGI program. Authenticated administrators can trigger this flaw to run system-level commands by manipulating the certificate request process. This enables persistent access and further exploitation of the internal network.
- Affected models: DX5401-B1, EMG3525-T50B, EMG5523-T50B, VMG3625-T50B, VMG3625-T50C, VMG8623-T50B. Patches for this flaw are expected in March 2026.
- CVE-2025-11845, CVE-2025-11846, CVE-2025-11847 (CVSS score 6.5) - Multiple null pointer dereference vulnerabilities in CGI programs handling certificates, account settings, and IP configurations. Authenticated attackers with administrator rights can send crafted HTTP requests to crash the device management services. This results in a denial-of-service (DoS) condition that prevents legitimate users from managing the router.
- Affected models: LTE3301-PLUS, Nebula FWA505, FWA510, FWA515, FWA710, Nebula LTE3301-PLUS, DX3300-T0/T1, DX3301-T0, DX4510-B0/B1, DX5401-B1, EE3301-00, EE5301-00, EE6510-10, EMG3525-T50B, EMG5523-T50B, EX2210-T0, EX3300-T0/T1, EX3301-T0, EX3500-T0, EX3501-T0, EX3510-B0/B1, EX3600-T0, EX5401-B1, EX5510-B0, EX5512-T0, EX5601-T0/T1, EX7501-B0, EX7710-B0, GM4100-B0, VMG3625-T50B, VMG4005-B50A/B60A, VMG8623-T50B, AX7501-B1, PE3301-00, PE5301-01, PM3100-T0, PM5100-T0/T1, PM7300-T0, PM7500-00, PX3321-T1, PX5301-T0, SCR 50AXE, WE3300-00, WX3100-T0, WX3401-B1, WX5600-T0, WX5610-B0.
- CVE-2025-11848 (CVSS score 6.5) - Multiple null pointer dereference vulnerabilities in CGI programs handling certificates, account settings, and IP configurations. Authenticated attackers with administrator rights can send crafted HTTP requests to crash the device management services. This results in a denial-of-service (DoS) condition that prevents legitimate users from managing the router.
- Affected models: DX3300-T0/T1, DX3301-T0, DX4510-B0/B1, DX5401-B1, EE3301-00, EE5301-00, EE6510-10, EMG3525-T50B, EMG5523-T50B, EX2210-T0, EX3300-T0/T1, EX3301-T0, EX3500-T0, EX3501-T0, EX3510-B0/B1, EX3600-T0, EX5401-B1, EX5510-B0, EX5512-T0, EX5601-T0/T1, EX7501-B0, EX7710-B0, GM4100-B0, VMG3625-T50B, VMG4005-B50A/B60A, VMG8623-T50B, AX7501-B1, PE3301-00, PE5301-01, PM3100-T0, PM5100-T0/T1, PM7300-T0, PM7500-00, PX3321-T1, PX5301-T0, SCR 50AXE, WE3300-00, WX3100-T0, WX3401-B1, WX5600-T0, WX5610-B0 (excludes 4G LTE/5G NR CPE models).
Shadowserver reports nearly 120,000 Zyxel devices are currently exposed to the internet, making them prime targets for automated botnets.
Zyxel noted that legacy products like the VMG1312 and SBG3300 series have reached end-of-life (EOL) and will not receive security updates. Users of these older devices remain permanently vulnerable to these and other zero-day exploits as the manufacturer will not provide further firmware support.
Zyxel strongly advises users to install the latest firmware patches immediately to protect against these flaws. For devices provided by Internet Service Providers (ISPs), users should contact their provider directly for custom firmware updates. If a device is EOL, the manufacturer recommends replacing it with a newer, supported model to ensure continued security coverage.
