CVE-2025-13943
Published: 24 February 2026
Summary
CVE-2025-13943 is a high-severity OS Command Injection (CWE-78) vulnerability in Zyxel Px3321-T1 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 31.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-13943 is a post-authentication command injection vulnerability (CWE-78) in the log file download function of the Zyxel EX3301-T0 firmware versions through 5.50(ABVY.7)C0. Published on 2026-02-24, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting high severity from potential impacts to confidentiality, integrity, and availability.
An authenticated attacker with low privileges can exploit this vulnerability remotely over the network with low attack complexity and without requiring user interaction. Exploitation enables the attacker to execute arbitrary operating system commands on the affected device.
Zyxel has issued a security advisory addressing this command injection vulnerability alongside null pointer dereference issues in certain 4G LTE, 5G NR CPE, DSL Ethernet CPE, fiber ONTs, security routers, and wireless extenders, available at https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-null-pointer-dereference-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-02-24-2026. Practitioners should review the advisory for recommended patches and mitigation guidance.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-207550
Vulnerability details
A post-authentication command injection vulnerability in the log file download function of the Zyxel EX3301-T0 firmware versions through 5.50(ABVY.7)C0 could allow an authenticated attacker to execute operating system (OS) commands on an affected device.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Post-auth command injection (CWE-78) in network device web function directly enables remote OS command execution via Unix shell after valid account access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 requires validation of user inputs to the log file download function, directly preventing command injection by rejecting malicious payloads.
SI-2 ensures timely flaw remediation through firmware patching as recommended in the Zyxel security advisory, eliminating the vulnerability.
AC-6 enforces least privilege for authenticated users, limiting the scope and impact of any successful command injection to authorized tasks only.