CVE-2025-5441 is a critical OS command injection vulnerability affecting multiple Linksys range extender models, including RE6500, RE6250, RE6300, RE6350, RE7000, and RE9000, specifically in firmware versions 1.0.013.001, 1.0.04.001, 1.0.04.002, 1.1.05.003, and 1.2.07.001. The vulnerability resides in the setDeviceURL function within the /goform/setDeviceURL endpoint. An attacker can manipulate the DeviceURL parameter to inject arbitrary operating system commands. This injection occurs because the input is not properly sanitized before being passed to system-level commands, allowing remote attackers to execute commands on the device without authentication or user interaction. The vulnerability is remotely exploitable over the network, increasing its risk profile. Although the CVSS v4.0 score is 5.3 (medium severity), the nature of OS command injection typically allows attackers to gain control over the device, potentially pivoting into internal networks. The vendor was notified but has not responded or issued a patch, and no known exploits are currently observed in the wild, though public disclosure of the exploit code exists, increasing the risk of exploitation.

For European organizations, this vulnerability poses a significant risk especially for enterprises and small-to-medium businesses using Linksys range extenders to expand their wireless networks. Successful exploitation could allow attackers to execute arbitrary commands on the device, leading to device compromise, network reconnaissance, lateral movement, or establishing persistent backdoors. This could result in confidentiality breaches, integrity violations, and availability disruptions of network infrastructure. Given that these devices often sit at network edges or in less monitored segments, attackers could leverage compromised extenders to bypass perimeter defenses. The lack of vendor response and patches increases the window of exposure. Additionally, organizations in sectors with strict data protection regulations (e.g., GDPR) could face compliance risks if breaches occur due to this vulnerability.

1. Immediate mitigation should include isolating affected Linksys extenders on segmented network zones with strict access controls to limit potential lateral movement. 2. Disable remote management interfaces on these devices if enabled, to reduce exposure. 3. Monitor network traffic for unusual outbound connections or command execution patterns originating from these devices. 4. Where possible, replace affected devices with models from vendors with active security support or with patched firmware. 5. Employ network-level intrusion detection/prevention systems (IDS/IPS) with signatures targeting command injection attempts against Linksys extenders. 6. Implement strict firewall rules to restrict access to the management interface to trusted IPs only. 7. Regularly audit and inventory network devices to identify vulnerable models and firmware versions. 8. Engage with Linksys support channels for updates or advisories and subscribe to vulnerability feeds for future patches.