critical advisory February 27, 2026

Critical Command Injection Vulnerability in Zyxel Routers (CVE-2026-13942)

A critical command injection vulnerability (CVE-2026-13942) in the UPnP function of Zyxel routers allows remote attackers to execute arbitrary operating system commands by sending crafted UPnP SOAP requests.

A critical command injection vulnerability, tracked as CVE-2026-13942, has been discovered in the UPnP (Universal Plug and Play) service of Zyxel routers. The vulnerability stems from insufficient validation of input within the UPnP SOAP request processing. An unauthenticated, remote attacker can exploit this flaw by sending specially crafted UPnP SOAP requests to the affected device. This allows the attacker to inject and execute arbitrary operating system commands with elevated privileges on…

Detection coverage 2

Detect Suspicious UPnP SOAP Requests

high

Detects suspicious UPnP SOAP requests that may indicate a command injection attempt, focusing on common command injection patterns.

sigma tactics: execution techniques: T1059.004 sources: network_connection, zeek

Detect Outbound Network Connection from Zyxel Routers

medium

Detects outbound network connections initiated from Zyxel routers, which may indicate compromise

sigma tactics: command_and_control techniques: T1071.001 sources: network_connection, windows

Detection queries are kept inside the platform. Get full rules →