CVE-2025-5438 is a command injection vulnerability affecting multiple Linksys range extender models, including RE6500, RE6250, RE6300, RE6350, RE7000, and RE9000, specifically in firmware versions 1.0.013.001, 1.0.04.001, 1.0.04.002, 1.1.05.003, and 1.2.07.001. The vulnerability resides in the WPS (Wi-Fi Protected Setup) functionality, particularly in the /goform/WPS endpoint. An attacker can manipulate the 'PIN' argument sent to this endpoint to inject arbitrary commands that the device executes. This flaw allows remote exploitation without requiring user interaction or authentication, making it particularly dangerous. Although the CVSS v4.0 base score is 5.3 (medium severity), the ability to execute commands remotely elevates the risk profile. The vendor, Linksys, was notified early but has not responded or released patches, and no official fixes or mitigations have been published. While no known exploits are currently observed in the wild, the public disclosure of the exploit code increases the likelihood of active exploitation. The vulnerability impacts the confidentiality, integrity, and availability of the affected devices, potentially allowing attackers to take full control, disrupt network connectivity, or pivot into internal networks.

For European organizations, this vulnerability poses a significant risk, especially for enterprises and small-to-medium businesses relying on Linksys range extenders to improve wireless coverage. Compromise of these devices can lead to unauthorized network access, interception of sensitive communications, and lateral movement within corporate networks. Given that these devices often reside at network edges or in less monitored segments, attackers could establish persistent footholds. The lack of vendor response and patches means organizations may face prolonged exposure. Additionally, critical infrastructure sectors using these devices for network extension could experience service disruptions or data breaches. The medium CVSS score may underestimate the real-world impact due to the ease of remote exploitation without authentication. The threat is exacerbated by the public availability of exploit code, increasing the risk of automated attacks targeting vulnerable devices across Europe.

Organizations should immediately inventory their network infrastructure to identify the presence of affected Linksys range extender models and firmware versions. Until official patches are available, it is advisable to disable WPS functionality on these devices, as the vulnerability is tied to the WPS endpoint. If disabling WPS is not feasible, isolating the devices on segmented network zones with strict firewall rules to limit inbound access to the management interface can reduce exposure. Network monitoring should be enhanced to detect unusual command execution patterns or unexpected traffic to /goform/WPS endpoints. Employing network intrusion detection systems (NIDS) with signatures for known exploit attempts can provide early warning. Where possible, replace vulnerable devices with updated hardware from vendors with active security support. Organizations should also engage with Linksys support channels to demand timely patches and monitor vulnerability databases for updates. Finally, educating IT staff about this specific threat can improve incident response readiness.