CVE-2025-13942

Q: What is the severity of CVE-2025-13942?

CVE-2025-13942 has a CVSS score of 9.8 (CRITICAL). A remote command injection vulnerability in Zyxel EX3510-B0 devices allows attackers to execute arbitrary operating system commands by sending specially crafted UPnP SOAP requests. This affects all firmware versions through 5.17(ABUP.15.1)C0, potentially compromising the entire device. Organizations using these Zyxel networking devices are at risk of complete system takeover.

9.8 CRITICAL

Remote Code Execution

📋 TL;DR

A remote command injection vulnerability in Zyxel EX3510-B0 devices allows attackers to execute arbitrary operating system commands by sending specially crafted UPnP SOAP requests. This affects all firmware versions through 5.17(ABUP.15.1)C0, potentially compromising the entire device. Organizations using these Zyxel networking devices are at risk of complete system takeover.

💻 Affected Systems

Products:

Zyxel EX3510-B0

Versions: All firmware versions through 5.17(ABUP.15.1)C0

Operating Systems: Embedded Linux (Zyxel firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: UPnP is typically enabled by default on these devices. Any device with UPnP enabled is vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to persistent backdoor installation, network pivoting to internal systems, data exfiltration, and device becoming part of botnet.

🟠

Likely Case

Remote attacker gains full control of affected device, can modify configurations, intercept traffic, and use device as foothold into internal network.

🟢

If Mitigated

If UPnP is disabled and network segmentation is in place, impact limited to device isolation and potential service disruption.

🌐 Internet-Facing: HIGH - UPnP service is often exposed to internet on these devices, allowing remote exploitation without authentication.

🏢 Internal Only: HIGH - Even internally, any attacker on the network can exploit this to gain device control.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Command injection via UPnP SOAP requests requires no authentication. Exploit development is straightforward given the CWE-78 pattern.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware version after 5.17(ABUP.15.1)C0

Vendor Advisory: https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-null-pointer-dereference-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-02-24-2026

Restart Required: Yes

Instructions:

1. Download latest firmware from Zyxel support portal. 2. Log into device web interface. 3. Navigate to Maintenance > Firmware Upgrade. 4. Upload firmware file. 5. Apply upgrade and wait for automatic reboot.

🔧 Temporary Workarounds

Disable UPnP Service

all

Disable Universal Plug and Play service to prevent exploitation via SOAP requests

Web Interface: Advanced > UPnP > Disable
CLI: system upnp disable

Block UPnP Ports

linux

Block access to UPnP ports (1900/udp, 5000/tcp) at firewall

iptables -A INPUT -p udp --dport 1900 -j DROP
iptables -A INPUT -p tcp --dport 5000 -j DROP

🧯 If You Can't Patch

Isolate affected devices in separate VLAN with strict firewall rules
Implement network monitoring for unusual UPnP traffic patterns

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface (Status > System Information) or CLI (show version). If version is 5.17(ABUP.15.1)C0 or earlier, device is vulnerable.

Check Version:

show version (CLI) or check Status > System Information in web interface

Verify Fix Applied:

Verify firmware version is newer than 5.17(ABUP.15.1)C0. Test UPnP functionality remains disabled if using workaround.

📡 Detection & Monitoring

Log Indicators:

Unusual UPnP SOAP requests in device logs
Multiple failed UPnP requests from single source
System command execution logs from non-admin processes

Network Indicators:

Unusual traffic to UPnP ports (1900/udp, 5000/tcp)
Outbound connections from device to unknown external IPs
Sudden increase in device CPU/memory usage

SIEM Query:

source="zyxel_logs" AND ("UPnP" OR "SOAP") AND ("command" OR "exec" OR "system")

📊 Metadata

CVE ID: CVE-2025-13942

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: February 24, 2026

Last Updated: February 25, 2026

🔗 References

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-null-pointer-dereference-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-02-24-2026 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Dx4510 B0 Firmware by Zyxel

Dx4510 B1 Firmware by Zyxel

Ee6510 10 Firmware by Zyxel

Emg6726 B10a Firmware by Zyxel

Ex2210 T0 Firmware by Zyxel

Ex3510 B0 Firmware by Zyxel

Ex3510 B1 Firmware by Zyxel

Ex5510 B0 Firmware by Zyxel

Ex5512 T0 Firmware by Zyxel

Ex7710 B0 Firmware by Zyxel

Lte3301 Plus Firmware by Zyxel

Nebula Lte3301 Plus Firmware by Zyxel

Nebula Nr7101 Firmware by Zyxel

Nr7101 Firmware by Zyxel

Px3321 T1 Firmware by Zyxel