CVE-2025-5440 is a medium-severity OS command injection vulnerability affecting multiple Linksys range extender models, including RE6500, RE6250, RE6300, RE6350, RE7000, and RE9000, specifically in firmware versions 1.0.013.001, 1.0.04.001, 1.0.04.002, 1.1.05.003, and 1.2.07.001. The vulnerability resides in the NTP (Network Time Protocol) functionality, particularly in the /goform/NTP endpoint. The issue arises from improper sanitization of several parameters related to manual time setting: manual_year_select, manual_month_select, manual_day_select, manual_hour_select, manual_min_select, and manual_sec_select. An attacker can manipulate these parameters to inject arbitrary OS commands, which the device executes with elevated privileges. This flaw allows remote attackers to execute arbitrary commands without authentication or user interaction, increasing the attack surface significantly. Although the vendor was notified early, no patch or response has been issued, and no known exploits have been observed in the wild yet. The CVSS v4.0 base score is 5.3, reflecting a medium severity primarily due to the requirement of low privileges and the limited scope of impact. The vulnerability could enable attackers to compromise device integrity, potentially leading to persistent backdoors, network pivoting, or denial of service by disrupting device operations.

For European organizations, this vulnerability poses a tangible risk, especially for enterprises and service providers relying on Linksys range extenders to enhance wireless coverage. Exploitation could lead to unauthorized control over network infrastructure components, enabling attackers to intercept, manipulate, or disrupt internal communications. This is particularly critical in sectors with stringent data protection requirements such as finance, healthcare, and government agencies. Compromised devices could serve as entry points for lateral movement within corporate networks or as platforms for launching further attacks. Additionally, the lack of vendor response and patches increases the window of exposure. Small and medium enterprises (SMEs) that often deploy consumer-grade networking equipment without rigorous security management are especially vulnerable. The potential for disruption of network availability and confidentiality breaches could lead to regulatory non-compliance under GDPR and other European cybersecurity frameworks.

Given the absence of official patches, European organizations should immediately audit their network for the presence of affected Linksys range extender models and firmware versions. Network segmentation should be enforced to isolate these devices from critical infrastructure and sensitive data environments. Disabling the NTP manual configuration interface or restricting access to the /goform/NTP endpoint via firewall rules or access control lists can reduce exposure. Employing network intrusion detection systems (NIDS) to monitor for suspicious command injection patterns targeting these parameters is advisable. Organizations should consider replacing vulnerable devices with updated models or alternative vendors that provide timely security updates. Additionally, implementing strict network monitoring and anomaly detection can help identify exploitation attempts. Regular firmware integrity checks and limiting administrative access to trusted personnel only are recommended. Finally, organizations should maintain an incident response plan tailored to network device compromise scenarios.