CVE-2025-5442 is a security vulnerability identified in several Linksys range extender models, including RE6500, RE6250, RE6300, RE6350, RE7000, and RE9000, specifically affecting firmware versions 1.0.013.001, 1.0.04.001, 1.0.04.002, 1.1.05.003, and 1.2.07.001. The vulnerability resides in the RP_pingGatewayByBBS function within the /goform/RP_pingGatewayByBBS endpoint. This function improperly handles input parameters such as ip, nm, and gw, allowing an attacker to inject arbitrary operating system commands. The flaw is a classic OS command injection, where unsanitized user input is passed to system-level commands, enabling remote attackers to execute arbitrary commands on the device without authentication or user interaction. The vulnerability is remotely exploitable over the network, increasing its risk profile. Despite the critical nature of command injection vulnerabilities, this issue has been assigned a medium severity with a CVSS 4.0 base score of 5.3, reflecting factors such as limited impact on confidentiality, integrity, and availability, and the requirement for some privileges (PR:L). The vendor, Linksys, was contacted but did not respond or provide a patch at the time of disclosure, and no official patches or mitigations have been released. Although no known exploits are currently observed in the wild, public disclosure of the exploit code increases the likelihood of exploitation attempts. This vulnerability could allow attackers to gain control over affected devices, potentially pivoting into internal networks or disrupting network connectivity.

For European organizations, this vulnerability poses a significant risk, especially for enterprises and service providers relying on Linksys range extenders to enhance wireless coverage. Successful exploitation could lead to unauthorized command execution on network devices, resulting in potential network disruption, interception or manipulation of network traffic, and lateral movement within corporate networks. This could compromise sensitive data confidentiality and integrity, and degrade availability of network services. Small and medium-sized enterprises (SMEs) that often deploy consumer-grade networking equipment like Linksys extenders without rigorous security controls are particularly vulnerable. Additionally, critical infrastructure sectors using these devices for network extension could face operational disruptions. The lack of vendor response and patches exacerbates the risk, as organizations must rely on alternative mitigations. Given the remote exploitability without user interaction, attackers can automate attacks at scale, increasing the threat landscape for European networks.

Organizations should immediately inventory their network infrastructure to identify the presence of affected Linksys extender models and firmware versions. Since no official patches are available, the primary mitigation is to isolate these devices from critical network segments and restrict management interface access to trusted administrative networks only. Implement network segmentation to limit the potential impact of a compromised device. Employ strict firewall rules to block unauthorized inbound traffic to the vulnerable endpoints, especially the /goform/RP_pingGatewayByBBS path. Monitor network traffic for unusual activity indicative of command injection attempts, such as unexpected system commands or abnormal outbound connections from extenders. Consider replacing vulnerable devices with models from vendors that provide timely security updates. Additionally, enable logging and alerting on network devices to detect exploitation attempts early. Educate IT staff on the risks of using consumer-grade devices in enterprise environments and enforce policies to avoid unsupported firmware versions. Finally, maintain up-to-date network device inventories and subscribe to vulnerability intelligence feeds to respond promptly to future disclosures.