Zyxel patches critical UPnP command‑injection flaw, POC available

Threat summary

On February 24, 2026, Zyxel addressed several security issues, including CVE-2025-13942, a critical command-injection vulnerability in the Universal Plug and Play (UPnP) service of Zyxel EX3510-B0.

Specifically, the flaw affects firmware versions through 5.17(ABUP.15.1)C0.

The EX3510-B0 is a Customer Premises Equipment router used in residential and small-business environments. UPnP is a protocol suite that enables devices on a local network to automatically discover each other and establish services without manual configuration.

The flaw allows a remote threat actor to execute operating system commands by sending specially crafted UPnP Simple Object Access Protocol (SOAP) requests. The UPnP service processes these SOAP requests and passes parameters to backend components without proper sanitization, enabling command injection. Zyxel assigned the vulnerability a Common Vulnerability Scoring System (CVSS) score of 9.8 out of 10.

Researchers released a proof-of-concept demonstrating that the flaw is reachable without authentication and that a single crafted SOAP request is sufficient to trigger command execution. Exploitation requires both UPnP and Wide Area Network (WAN) access to be enabled. UPnP exposes the vulnerable code path, while WAN access determines whether the service is reachable from outside the local network.

Analysis & recommendations

Zyxel documentation indicates that WAN access is disabled by default, which means the flaw is not exploitable in default configurations. It becomes fully exploitable when administrators or service providers enable UPnP and expose it to the WAN for operational or management purposes.

The impact of successful exploitation is full compromise of the router. An adversary can execute operating system commands, modify configuration, deploy additional tooling, or use the device as a pivot into internal networks. The worst-case scenario includes persistent access, traffic manipulation, and lateral movement.

The attack complexity is low once the service is reachable, as the proof-of-concept shows that no authentication, race conditions, or memory‑corruption techniques are required.

Recommended mitigations include:

• Updating the EX3510-B0 to the latest firmware that contains the fix for CVE-2025-13942

• Disabling UPnP where it is not operationally required reduces exposure by removing the vulnerable service

• Keeping WAN access disabled prevents the UPnP service from being reachable from outside the local network (Zyxel documentation indicates that this setting is off by default)

• Restricting management access to trusted internal IP ranges to limit external actors' ability to interact with administrative interfaces

• Applying firewall rules to block inbound traffic to UPnP‑related ports, such as 1900/UDP and 5000/TCP depending on configuration, to further reduce the attack surface

• Segmenting Customer Premises Equipment and internet-of-things devices from critical internal networks to limit the impact of a compromised router

• Monitoring for unusual UPnP SOAP requests, unexpected device reboots, or configuration changes for additional visibility into potential exploitation attempts

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up