Photo by Christina Morillo from Pexels
Zyxel has released a security advisory and patches for network security vulnerabilities in certain fixed wireless outdoor routers, gateways, fiber optic network terminals, and other security routers and wireless extenders.
"It is important to note that WAN access is disabled by default on these devices, and this attack can only succeed if user-configured passwords have been compromised," the company said in its advisory on Wednesday.
Essentially, the vulnerabilities allow threat actors to use operating system commands to reconfigure organizations' network security if the two conditions are met on the following categories of devices:
- 4G LTE/5G NR CPE
- DSL/Ethernet CPE
- Fiber ONTs
- Security Routers
- Wireless Extenders
Using UPnP Simple Object Access Protocol requests, threat actors could use HTTP-based XML messages to control network devices, such as adding port mappings or retrieving data.
All told, the vulnerabilities create doors that allow software to automatically reconfigure your network security, a common scenario in gaming but acrimonious for enterprises relying on HIPAA-grade routers like this.
The vulnerabilities, catalogued as CVE-2025-11845, CVE-2025-11846, CVE-2025-11847, CVE-2025-11848, and CVE-2025-13942, CVE-2025-13943 and CVE-2026-1459, are null pointer dereferences and command injections.
Specifically, Zyxel said, "A null pointer dereference vulnerability in the account settings CGI program of certain 4G LTE/5G NR CPE, DSL/Ethernet CPE, Fiber ONTs, Security Routers, and Wireless Extenders firmware versions" could allow an attack using authenticated administrator privileges to trigger a denial-of-service condition by sending a crafted HTTP request.
Some firmware could also authenticate attackers to execute commands on an affected device.
"It is important to note that WAN access is disabled by default on these devices, and this attack can only succeed if user-configured passwords have been compromised," Zyxel said.
While the company said that all on-market models affected are listed in the advisory, organizations that acquired Zyxel routers and devices from an internet service provider, or purchased custom devices directly, should inquire about custom settings. The company also advised replacing models that have reached the end of their useful lives.
THE LARGER TREND
Zyxel routers, commonly used in healthcare and other industries requiring identity security, have come under attack many times before.
Two years ago, the Cybersecurity and Infrastructure Security Agency Common Vulnerabilities and Exposures program, which is currently extended through April, cited similar exposures in the company's products.
CVEs describing hidden backdoors go back nearly a decade. A command injection vulnerability in the company's diagnostic tools, CVE-2017-6884, was known to be used in a ransomware campaign, according to the agency.
The Office of Civil Rights in the Department of Health and Human Services advised system hardening in January, and specifically called on enterprises to create and maintain IT asset inventories that track device risk mitigation needs down to the firmware.
"An up-to-date information technology asset inventory can help entities understand their environment and identify information systems to be hardened," OCR said in its Cybersecurity Newsletter. "Examples of firmware that may need to be patched could include firmware of network devices such as routers and firewalls."
ON THE RECORD
"After a thorough investigation, we have identified the vulnerable products that are within their vulnerability support period and released updates to address these vulnerabilities," Zyxel said in the advisory.
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.
