Warning: Critical vulnerability in various Zyxel routers. Patch Immediately!

• Last update: 26/02/2026
• Affected software:
  → Zyxel routers
• Type: OS Command Injection (CWE-78)
• CVE/CVSS
  → • CVE-2026-13942: 9.8 CRITICAL (CVSS:3.1AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Sources

Vendor Advisory - https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-null-pointer-dereference-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-02-24-2026

Risks

Successful exploitation could allow a remote attacker to execute operating system (OS) commands on an affected device by sending specially crafted UPnP SOAP requests.

Description

A command injection vulnerability in the UPnP function of the Zyxel EX3510-B0 firmware that can be exploited by sending specially crafted UPnP SOAP requests.

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

More information on the vendor’s website:
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-null-pointer-dereference-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-02-24-2026

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion

In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.

References

NIST - https://nvd.nist.gov/vuln/detail/CVE-2025-13942