CVE-2025-5439 is a security vulnerability identified in multiple Linksys range extender models, including RE6500, RE6250, RE6300, RE6350, RE7000, and RE9000, specifically affecting firmware versions 1.0.013.001, 1.0.04.001, 1.0.04.002, 1.1.05.003, and 1.2.07.001. The vulnerability resides in the function verifyFacebookLike within the /goform/verifyFacebookLike endpoint. This function improperly handles user-supplied input parameters 'uid' and 'accessToken', allowing an attacker to inject arbitrary OS commands. Because the endpoint is accessible remotely and does not require user interaction or elevated privileges, exploitation can be performed over the network without authentication. The vulnerability is classified as an OS command injection, which can lead to execution of arbitrary commands on the device's underlying operating system. Although the vendor Linksys was notified early, no response or patch has been issued, and the exploit details have been publicly disclosed. The CVSS 4.0 base score is 5.3 (medium severity), reflecting network attack vector, low attack complexity, no privileges or user interaction required, but limited confidentiality, integrity, and availability impact. However, the potential for command execution on network infrastructure devices like range extenders can enable attackers to pivot into internal networks, intercept or manipulate traffic, or disrupt network availability. The lack of vendor response and patch availability increases the risk for affected users. The vulnerability affects multiple firmware versions across several popular Linksys range extenders, which are widely deployed in both consumer and small business environments.

For European organizations, this vulnerability poses a significant risk primarily to network security and operational continuity. Linksys range extenders are commonly used to improve Wi-Fi coverage in offices, retail locations, and home environments. Successful exploitation could allow attackers to execute arbitrary commands on these devices, potentially leading to unauthorized access to internal networks, interception or manipulation of network traffic, and disruption of wireless connectivity. This could facilitate lateral movement within corporate networks, data exfiltration, or service outages. Given the devices often operate at the network edge, compromise could undermine perimeter defenses. Additionally, many European organizations rely on these devices in remote or branch offices where direct IT oversight is limited, increasing the likelihood of unnoticed exploitation. The absence of vendor patches and public exploit disclosure further elevates the threat, as attackers can develop and deploy exploits without mitigation. While the CVSS score is medium, the real-world impact could be more severe depending on the network architecture and sensitivity of the data traversing these devices.

1. Immediate network segmentation: Isolate affected Linksys range extenders from critical internal networks to limit potential lateral movement if compromised. 2. Disable or restrict access to the /goform/verifyFacebookLike endpoint if possible, using firewall rules or device configuration to block external access. 3. Monitor network traffic for unusual activity originating from or targeting these devices, including unexpected command execution patterns or outbound connections. 4. Replace or upgrade affected devices with models from vendors that provide timely security updates and patches. 5. If replacement is not immediately feasible, consider deploying network intrusion detection/prevention systems (IDS/IPS) with signatures targeting known exploit patterns for this vulnerability. 6. Regularly audit and inventory network devices to identify vulnerable firmware versions and maintain an up-to-date asset management system. 7. Engage with Linksys support channels to demand patch releases and stay informed about any future security advisories. 8. Educate IT staff and users about the risks associated with unmanaged or outdated network devices to promote proactive security hygiene.