CVE-2025-13942

CriticalRCE

Published: 24 February 2026

Published

24 February 2026

Modified

25 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0018 39.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-13942 is a critical-severity OS Command Injection (CWE-78) vulnerability in Zyxel Px3321-T1 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the command injection vulnerability by identifying, testing, and applying firmware patches as issued in the Zyxel security advisory.

SI-10 Information Input Validation good match

prevent

Implements input validation mechanisms on UPnP SOAP requests to block specially crafted payloads that enable command injection.

CM-7 Least Functionality good match

prevent

Restricts or disables the nonessential UPnP function on the device to eliminate the attack surface for remote command injection.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

CVE enables remote unauthenticated exploitation of a public-facing UPnP service (T1190) leading to arbitrary OS command execution on a likely Unix/Linux-based network device (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A command injection vulnerability in the UPnP function of the Zyxel EX3510-B0 firmware versions through 5.17(ABUP.15.1)C0 could allow a remote attacker to execute operating system (OS) commands on an affected device by sending specially crafted UPnP SOAP requests.

Deeper analysisAI

CVE-2025-13942 is a command injection vulnerability (CWE-78) in the UPnP function of Zyxel EX3510-B0 firmware versions through 5.17(ABUP.15.1)C0. Published on 2026-02-24, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting critical severity due to its potential for high-impact confidentiality, integrity, and availability effects.

A remote, unauthenticated attacker can exploit the vulnerability by sending specially crafted UPnP SOAP requests to an affected device, enabling arbitrary operating system command execution. The attack requires no privileges, low complexity, or user interaction, making it highly accessible over the network.

Zyxel has issued a security advisory addressing this command injection vulnerability alongside null pointer dereference issues in certain 4G LTE, 5G NR CPE, DSL Ethernet CPE, fiber ONTs, security routers, and wireless extenders, available at https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-null-pointer-dereference-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-02-24-2026.

Details

CWE(s): CWE-78

Affected Products

zyxel

wx5610-b0 firmware

≤ 5.18\(acgj.0.5\)c0

zyxel

lte3301-plus firmware

≤ 1.00\(abqu.9\)c0

zyxel

nebula lte3301-plus firmware

≤ 1.18\(acca.6\)v0

zyxel

nr7101 firmware

≤ 1.00\(abuv.12\)b2

zyxel

nebula nr7101 firmware

≤ 1.16\(accc.1\)v0

zyxel

dx4510-b0 firmware

≤ 5.17\(abyl.10.1\)c0

zyxel

dx4510-b1 firmware

≤ 5.17\(abyl.10.1\)c0

zyxel

ee6510-10 firmware

≤ 5.19\(acjq.4.1\)c0

zyxel

emg6726-b10a firmware

≤ 5.13\(abnp.8.2\)c1

zyxel

ex2210-t0 firmware

≤ 5.50\(acdi.2.4\)c0

+8 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2025-13943Same product: Zyxel Dx4510-B0

CVE-2026-7256Same vendor: Zyxel

CVE-2024-40890Same vendor: Zyxel

CVE-2026-1459Same vendor: Zyxel

CVE-2024-40891Same vendor: Zyxel

CVE-2025-8693Same product: Zyxel Dx4510-B1

CVE-2025-7673Same product: Zyxel Emg6726-B10A

CVE-2026-1961Shared CWE-78

CVE-2025-54418Shared CWE-78

CVE-2025-20349Shared CWE-78

References

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-null-pointer-dereference-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-02-24-2026
Vendor Advisory · security@zyxel.com.tw