1. Home
  2. Vulnerabilities
  3. CVE-2025-13942
9.8
CRITICAL CVSS 3.1
CVE-2025-13942
Zyxel EX3510-B0 UPnP Command Injection
Overview
Description

A command injection vulnerability in the UPnP function of the Zyxel EX3510-B0 firmware versions through 5.17(ABUP.15.1)C0 could allow a remote attacker to execute operating system (OS) commands on an affected device by sending specially crafted UPnP SOAP requests.

Details
INFO

Published Date :

Feb. 24, 2026, 3:16 a.m.

Last Modified :

Feb. 25, 2026, 6:13 p.m.

Remotely Exploit :

Yes !

Source :

[email protected]
Impact
Affected Products

The following products are affected by CVE-2025-13942 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Zyxel nebula_nr7101_firmware
2 Zyxel nr7101_firmware
3 Zyxel dx4510-b1_firmware
4 Zyxel ex3510-b0_firmware
5 Zyxel ex5510-b0_firmware
6 Zyxel ex5512-t0_firmware
7 Zyxel lte3301-plus_firmware
8 Zyxel nebula_lte3301-plus_firmware
9 Zyxel emg6726-b10a_firmware
10 Zyxel vmg4927-b50a_firmware
11 Zyxel nebula_lte3301-plus
12 Zyxel px3321-t1_firmware
13 Zyxel px3321-t1
14 Zyxel ex7710-b0_firmware
15 Zyxel ex7710-b0
16 Zyxel ex5512-t0
17 Zyxel ex5510-b0
18 Zyxel ex3510-b0
19 Zyxel dx4510-b0_firmware
20 Zyxel dx4510-b0
21 Zyxel ex3510-b1_firmware
22 Zyxel ex3510-b1
23 Zyxel dx4510-b1
24 Zyxel lte3301-plus
25 Zyxel nr7101
26 Zyxel emg6726-b10a
27 Zyxel vmg4927-b50a
28 Zyxel nebula_nr7101
29 Zyxel ee6510-10_firmware
30 Zyxel ee6510-10
31 Zyxel ex2210-t0_firmware
32 Zyxel ex2210-t0
33 Zyxel px5301-t0_firmware
34 Zyxel px5301-t0
35 Zyxel wx5610-b0_firmware
36 Zyxel wx5610-b0
: Total Affected Vendor : 1 | Products : 36
Scoring
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 3.1 CRITICAL 96e50032-ad0d-4058-a115-4d2c13821f9f
CVSS 3.1 CRITICAL [email protected]
CVSS 3.1 CRITICAL [email protected]
Solution
Update firmware to patch command injection vulnerability in UPnP function.
  • Update the device firmware to the latest version.
  • Disable UPnP if not needed.
  • Monitor network traffic for suspicious UPnP requests.
Public PoC/Exploit Available at Github

CVE-2025-13942 has a 1 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

References
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2025-13942.

URL Resource
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-null-pointer-dereference-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-02-24-2026 Vendor Advisory
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2025-13942 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2025-13942 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Profile Photo
hacefresko/CVEs

Collection of CVEs that I have discovered and their corresponding exploits

0day cve exploit security

Python

Updated: 1 week, 5 days ago
5 stars 0 fork 0 watcher
Born at : Nov. 23, 2025, 9:12 p.m. This repo has been linked 5 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2025-13942 vulnerability anywhere in the article.

  • CybersecurityNews
Critical Zyxel Vulnerabilities Exposes Routers to Remote Command Injection

Zyxel Vulnerabilities Critical firmware updates have been released to address multiple serious vulnerabilities in networking devices, including 4G LTE/5G NR CPEs, DSL/Ethernet CPEs, Fiber ONTs, Securi ... Read more

Published Date: Feb 27, 2026 (2 weeks, 5 days ago)
  • security.nl
Kritiek UPnP-lek in Zyxel-routers kan remote aanvallers toegang geven

Een kritieke kwetsbaarheid in de UPnP-functie van verschillende routers, wifi-extenders en andere netwerkapparaten van Zyxel maakt het mogelijk voor een ongeauthenticeerde aanvaller om op afstand toeg ... Read more

Published Date: Feb 25, 2026 (3 weeks ago)
  • Daily CyberSecurity
Total Takeover: Critical Zyxel Flaw (CVSS 9.8) Exposes Routers to Remote Command Injection

Networking giant Zyxel has rolled out a wave of urgent security patches addressing multiple vulnerabilities across its fleet of 4G LTE/5G NR CPEs, DSL/Ethernet routers, Fiber ONTs, and Wireless Extend ... Read more

Published Date: Feb 25, 2026 (3 weeks, 1 day ago)

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2025-13942 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Initial Analysis by [email protected]

    Feb. 25, 2026

    Action Type Old Value New Value
    Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    Added CPE Configuration AND OR *cpe:2.3:o:zyxel:wx5610-b0_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 5.18(acgj.0.5)c0 OR cpe:2.3:h:zyxel:wx5610-b0:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:zyxel:lte3301-plus_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 1.00(abqu.9)c0 OR cpe:2.3:h:zyxel:lte3301-plus:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:zyxel:nebula_lte3301-plus_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 1.18(acca.6)v0 OR cpe:2.3:h:zyxel:nebula_lte3301-plus:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:zyxel:nr7101_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 1.00(abuv.12)b2 OR cpe:2.3:h:zyxel:nr7101:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:zyxel:nebula_nr7101_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 1.16(accc.1)v0 OR cpe:2.3:h:zyxel:nebula_nr7101:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:zyxel:dx4510-b0_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 5.17(abyl.10.1)c0 OR cpe:2.3:h:zyxel:dx4510-b0:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:zyxel:dx4510-b1_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 5.17(abyl.10.1)c0 OR cpe:2.3:h:zyxel:dx4510-b1:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:zyxel:ee6510-10_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 5.19(acjq.4.1)c0 OR cpe:2.3:h:zyxel:ee6510-10:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:zyxel:emg6726-b10a_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 5.13(abnp.8.2)c1 OR cpe:2.3:h:zyxel:emg6726-b10a:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:zyxel:ex2210-t0_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 5.50(acdi.2.4)c0 OR cpe:2.3:h:zyxel:ex2210-t0:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:zyxel:ex3510-b0_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 5.17(abup.15.2)c0 OR cpe:2.3:h:zyxel:ex3510-b0:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:zyxel:ex3510-b1_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 5.17(abup.15.2)c0 OR cpe:2.3:h:zyxel:ex3510-b1:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:zyxel:ex5510-b0_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 5.17(abqx.11.1)c0 OR cpe:2.3:h:zyxel:ex5510-b0:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:zyxel:ex5512-t0_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 5.70(aceg.5.4)c0 OR cpe:2.3:h:zyxel:ex5512-t0:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:zyxel:ex7710-b0_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 5.18(acak.1.6)c0 OR cpe:2.3:h:zyxel:ex7710-b0:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:zyxel:vmg4927-b50a_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 5.13(ably.10.2)c0 OR cpe:2.3:h:zyxel:vmg4927-b50a:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:zyxel:px3321-t1_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 5.44(acjb.1.5)c0 OR cpe:2.3:h:zyxel:px3321-t1:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:zyxel:px3321-t1_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 5.44(achk.3)c0 OR cpe:2.3:h:zyxel:px3321-t1:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:zyxel:px5301-t0_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 5.44(ackb.0.6)c0 OR cpe:2.3:h:zyxel:px5301-t0:-:*:*:*:*:*:*:*
    Added Reference Type Zyxel Corporation: https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-null-pointer-dereference-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-02-24-2026 Types: Vendor Advisory
  • New CVE Received by [email protected]

    Feb. 24, 2026

    Action Type Old Value New Value
    Added Description A command injection vulnerability in the UPnP function of the Zyxel EX3510-B0 firmware versions through 5.17(ABUP.15.1)C0 could allow a remote attacker to execute operating system (OS) commands on an affected device by sending specially crafted UPnP SOAP requests.
    Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    Added CWE CWE-78
    Added Reference https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-null-pointer-dereference-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-02-24-2026
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CVSS
Vulnerability Scoring Details
Base CVSS Score: 9.8
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact