CVE-2025-5444 is a critical OS command injection vulnerability affecting multiple Linksys range extender models, including RE6500, RE6250, RE6300, RE6350, RE7000, and RE9000, across several firmware versions (1.0.013.001, 1.0.04.001, 1.0.04.002, 1.1.05.003, and 1.2.07.001). The vulnerability resides in the RP_UpgradeFWByBBS function within the /goform/RP_UpgradeFWByBBS endpoint. Specifically, the vulnerability arises from improper sanitization of multiple input parameters such as type, ch, ssidhex, security, extch, pwd, mode, ip, nm, and gw. An attacker can remotely manipulate these parameters to inject arbitrary OS commands, which the device executes with elevated privileges. This flaw does not require authentication or user interaction, making it remotely exploitable over the network. The vendor has been notified but has not responded or issued patches, and public exploit code has been disclosed, increasing the risk of exploitation. The CVSS 4.0 base score is 5.3 (medium severity), reflecting the network attack vector, low attack complexity, and no required authentication, but limited impact on confidentiality, integrity, and availability. However, the potential for command injection on network infrastructure devices like Wi-Fi extenders can lead to device compromise, network pivoting, or denial of service. The lack of vendor response and public exploit availability heighten the urgency for mitigation.

For European organizations, this vulnerability poses a significant risk to network security and operational continuity. Linksys range extenders are commonly used in both residential and small to medium enterprise environments to enhance wireless coverage. Compromise of these devices can allow attackers to execute arbitrary commands, potentially leading to unauthorized network access, interception or manipulation of network traffic, and lateral movement within corporate networks. This can result in data breaches, disruption of business operations, and erosion of trust in network infrastructure. Additionally, compromised extenders could be used as footholds for launching further attacks or as part of botnets. Given the devices often operate at network perimeters or in less monitored segments, detection and response may be delayed. The absence of vendor patches and the public availability of exploits increase the likelihood of attacks targeting European networks, especially in sectors relying heavily on wireless connectivity and remote work setups.

Organizations should immediately inventory their network to identify any affected Linksys extender models and firmware versions. As no official patches are currently available, the following specific mitigations are recommended: 1) Isolate affected devices on segmented network zones with strict access controls to limit exposure; 2) Disable remote management interfaces and restrict local management access to trusted administrators only; 3) Monitor network traffic for unusual patterns or commands targeting the /goform/RP_UpgradeFWByBBS endpoint; 4) Employ network intrusion detection/prevention systems (IDS/IPS) with custom signatures to detect exploitation attempts; 5) Consider replacing vulnerable devices with models from vendors providing timely security updates; 6) Regularly update firmware when vendor patches become available; 7) Educate IT staff about this vulnerability and ensure incident response plans include steps for compromised network devices. These targeted actions go beyond generic advice by focusing on network segmentation, access restriction, and proactive monitoring specific to this vulnerability's exploitation vector.