Home / Vulnerability Intelligence / CVE-2025-13942

CVE-2025-13942 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: February 24, 2026

Zyxel EX3510-B0 - Command Injection

Published: February 24, 2026Updated: February 24, 2026Remote Exploitable

Overview

Zyxel EX3510-B0 firmware <= 5.17(ABUP.15.1)C0 contains a command injection caused by improper input handling in the UPnP function, letting remote attackers execute OS commands via crafted UPnP SOAP requests.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 47.9%(Probability of exploitation in next 30 days)

Impact

Remote attackers can execute arbitrary OS commands, potentially taking full control of the affected device.

Mitigation

Update to the latest firmware version available from Zyxel.

References

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-null-pointer-dereference-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-02-24-2026

Social Media Activity(1 post)

HackMag

@hackmag

Feb 27, 2026

⚪️ Critical RCE Vulnerability Affects Over 10 Zyxel Router Models 🗨️ Zyxel developers have released patches that fix a critical vulnerability affecting more than ten router models. The bug allows unauthenticated attackers to remotely execute commands on the devices. The vulnerability is tracked as CVE-2025-13942 and is a command injection issue… 🔗 https://hackmag.com/news/zyxel-rce-3?utm_source=mastodon&utm_medium=social&utm_campaign=repost_hackmag_to_socials #news

View original post

Related Resources

Details

CVE ID: CVE-2025-13942
Severity: Critical
CVSS Score: 9.8
Type: command_injection
Status: unconfirmed
EPSS: 47.9%
Social Posts: 1

CWE

CWE-78

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

47.9%Probability of exploitation in the next 30 days