CVE-2025-13942

CWE-78 — OS Command Injection4 documents4 sources

Severity

9.8CRITICAL

EPSS

0.2%

top 61.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zyxel Dx4510-b0 Firmware Zyxel Dx4510-b1 Firmware Zyxel Ee6510-10 Firmware +15 more

Timeline

PublishedFeb 24

Latest updateFeb 25

Description

A command injection vulnerability in the UPnP function of the Zyxel EX3510-B0 firmware versions through 5.17(ABUP.15.1)C0 could allow a remote attacker to execute operating system (OS) commands on an affected device by sending specially crafted UPnP SOAP requests.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages19 packages

▶NVDzyxel/ex3510-b0_firmware< 5.17\(abup.15.2\)c0

▶NVDzyxel/ex3510-b1_firmware< 5.17\(abup.15.2\)c0

▶CVEListV5zyxel/ex3510-b0_firmware5.17(ABUP.15.1)C0

▶NVDzyxel/nr7101_firmware< 1.00\(abuv.12\)b2

▶NVDzyxel/dx4510-b0_firmware< 5.17\(abyl.10.1\)c0

🔴Vulnerability Details

GHSA

GHSA-934v-v4wh-rf2c: A command injection vulnerability in the UPnP function of the Zyxel EX3510-B0 firmware versions through 5↗2026-02-24

▶

CVEList

CVE-2025-13942: A command injection vulnerability in the UPnP function of the Zyxel EX3510-B0 firmware versions through 5↗2026-02-24

▶

🕵️Threat Intelligence

Bleepingcomputer

Zyxel warns of critical RCE flaw affecting over a dozen routers↗2026-02-25

▶