CVE-2025-13942
CRITICAL WAF: High
CVSS 9.8
Published: 2026-02-24
CWE-78
A command injection vulnerability in the UPnP function of the Zyxel EX3510-B0 firmware versions through 5.17(ABUP.15.1)C0 could allow a remote attacker to execute operating system (OS) commands on an affected device by sending specially crafted UPnP SOAP requests.
WAF Coverage Analysis
OS Command Injection
High WAF Coverage
OWASP: A03:2021 Injection
932xxx - Remote Code Execution
Affected Software
| Vendor | Product | Version |
|---|---|---|
| zyxel | wx5610-b0_firmware | up to 5.18\(acgj.0.5\)c0 |
| zyxel | lte3301-plus_firmware | up to 1.00\(abqu.9\)c0 |
| zyxel | nebula_lte3301-plus_firmware | up to 1.18\(acca.6\)v0 |
| zyxel | nr7101_firmware | up to 1.00\(abuv.12\)b2 |
| zyxel | nebula_nr7101_firmware | up to 1.16\(accc.1\)v0 |
| zyxel | dx4510-b0_firmware | up to 5.17\(abyl.10.1\)c0 |
| zyxel | dx4510-b1_firmware | up to 5.17\(abyl.10.1\)c0 |
| zyxel | ee6510-10_firmware | up to 5.19\(acjq.4.1\)c0 |
| zyxel | emg6726-b10a_firmware | up to 5.13\(abnp.8.2\)c1 |
| zyxel | ex2210-t0_firmware | up to 5.50\(acdi.2.4\)c0 |
References
- www.zyxel.com (Vendor Advisory)