Critical Zyxel Vulnerabilities Expose Routers to Remote Command Injection
Zyxel has recently released critical firmware updates to address multiple severe vulnerabilities affecting a range of networking devices, including 4G LTE/5G NR Customer Premises Equipment (CPEs), DSL/Ethernet CPEs, Fiber Optical Network Terminals (ONTs), Security Routers, and Wireless Extenders. These vulnerabilities expose the devices to remote command injection and denial-of-service (DoS) attacks, posing significant security risks to users.
Overview of Vulnerabilities
The security advisory highlights seven distinct vulnerabilities discovered by security researchers Tiantai Zhang, Víctor Fresco, and Watchful IP. The most critical among them is an unauthenticated command injection flaw, alongside several post-authentication risks and null pointer dereferences.
Detailed Analysis of Vulnerabilities
1. CVE-2025-13942 – Unauthenticated Command Injection (CVSS 9.8):
– Description: This vulnerability allows remote attackers to execute arbitrary operating system commands via crafted Universal Plug and Play (UPnP) Simple Object Access Protocol (SOAP) requests.
– Impact: Complete system compromise without requiring user authentication.
– Mitigation: By default, WAN access is restricted on all affected Zyxel devices, reducing the risk. However, if a user has manually enabled both WAN access and the vulnerable UPnP function, the device becomes susceptible.
2. CVE-2025-13943 – Post-Authentication Command Injection:
– Description: Authenticated users can execute OS commands through the log file download feature.
– Impact: Potential unauthorized command execution by users with access credentials.
3. CVE-2026-1459 – Post-Authentication Command Injection:
– Description: Authenticated administrators can execute OS commands via the TR-369 certificate download CGI.
– Impact: Elevated risk of unauthorized command execution by administrators.
4. CVE-2025-11845 to CVE-2025-11848 – Null Pointer Dereference:
– Description: Crafted HTTP requests to various CGI programs (certificate downloader, account settings, IP settings, Wake-on-LAN) can trigger device DoS.
– Impact: Potential service disruption and device crashes.
Affected Devices and Firmware Versions
A wide range of Zyxel devices are impacted by these vulnerabilities. Below is a snapshot of devices vulnerable to the critical CVE-2025-13942 flaw:
– 4G LTE/5G NR CPE:
– Model: Nebula NR7101
– Affected Version: 1.16(ACCC.1)C0 & earlier
– Patch Version: 1.16(ACCC.1)V0
– DSL/Ethernet CPE:
– Model: DX4510-B0
– Affected Version: 5.17(ABYL.10)C0 & earlier
– Patch Version: 5.17(ABYL.10.1)C0
– Fiber ONTs:
– Model: PX5301-T0
– Affected Version: 5.44(ACKB.0.5)C0 & earlier
– Patch Version: 5.44(ACKB.0.6)C0
– Wireless Extenders:
– Model: WX5610-B0
– Affected Version: 5.18(ACGJ.0.4)C0 & earlier
– Patch Version: 5.18(ACGJ.0.5)C0
Mitigation Steps
To maintain optimal network protection, administrators are urged to take immediate action:
1. Apply Firmware Updates:
– Download and install the latest firmware from Zyxel’s official support portal or community forum.
2. Restrict WAN Access:
– Disable WAN access and UPnP on external interfaces unless absolutely necessary.
3. Update Credentials:
– Change default or weak passwords to prevent post-authentication exploitation.
4. Contact ISPs:
– For ISP-provided devices, contact your provider for custom firmware updates.
Conclusion
The discovery of these critical vulnerabilities underscores the importance of regular firmware updates and vigilant network management. By promptly applying the recommended patches and adhering to best security practices, users can safeguard their devices against potential exploits and ensure the integrity of their network infrastructure.
