CVE-2025-13942

Critical

Published: 24 February 2026

Published

24 February 2026

Modified

25 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0018 39.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A command injection vulnerability in the UPnP function of the Zyxel EX3510-B0 firmware versions through 5.17(ABUP.15.1)C0 could allow a remote attacker to execute operating system (OS) commands on an affected device by sending specially crafted UPnP SOAP requests.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the command injection vulnerability by identifying, testing, and applying firmware patches as issued in the Zyxel security advisory.

SI-10 Information Input Validation good match

prevent

Implements input validation mechanisms on UPnP SOAP requests to block specially crafted payloads that enable command injection.

CM-7 Least Functionality good match

prevent

Restricts or disables the nonessential UPnP function on the device to eliminate the attack surface for remote command injection.

Security SummaryAI

CVE-2025-13942 is a command injection vulnerability (CWE-78) in the UPnP function of Zyxel EX3510-B0 firmware versions through 5.17(ABUP.15.1)C0. Published on 2026-02-24, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting critical severity due to its potential for high-impact confidentiality, integrity, and availability effects.

A remote, unauthenticated attacker can exploit the vulnerability by sending specially crafted UPnP SOAP requests to an affected device, enabling arbitrary operating system command execution. The attack requires no privileges, low complexity, or user interaction, making it highly accessible over the network.

Zyxel has issued a security advisory addressing this command injection vulnerability alongside null pointer dereference issues in certain 4G LTE, 5G NR CPE, DSL Ethernet CPE, fiber ONTs, security routers, and wireless extenders, available at https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-null-pointer-dereference-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-02-24-2026.

Details

CWE(s): CWE-78

Affected Products

zyxel

wx5610-b0 firmware

≤ 5.18\(acgj.0.5\)c0

zyxel

lte3301-plus firmware

≤ 1.00\(abqu.9\)c0

zyxel

nebula lte3301-plus firmware

≤ 1.18\(acca.6\)v0

zyxel

nr7101 firmware

≤ 1.00\(abuv.12\)b2

zyxel

nebula nr7101 firmware

≤ 1.16\(accc.1\)v0

zyxel

dx4510-b0 firmware

≤ 5.17\(abyl.10.1\)c0

zyxel

dx4510-b1 firmware

≤ 5.17\(abyl.10.1\)c0

zyxel

ee6510-10 firmware

≤ 5.19\(acjq.4.1\)c0

zyxel

emg6726-b10a firmware

≤ 5.13\(abnp.8.2\)c1

zyxel

ex2210-t0 firmware

≤ 5.50\(acdi.2.4\)c0

+8 more product configuration(s) — see NVD for full list

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

CVE enables remote unauthenticated exploitation of a public-facing UPnP service (T1190) leading to arbitrary OS command execution on a likely Unix/Linux-based network device (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-null-pointer-dereference-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-02-24-2026
Vendor Advisory · security@zyxel.com.tw