CVE-2025-5446 is a security vulnerability identified in several Linksys Wi-Fi range extender models, including RE6500, RE6250, RE6300, RE6350, RE7000, and RE9000, specifically affecting firmware versions 1.0.013.001, 1.0.04.001, 1.0.04.002, 1.1.05.003, and 1.2.07.001. The vulnerability resides in the RP_checkCredentialsByBBS function within the /goform/RP_checkCredentialsByBBS endpoint. It is an OS command injection flaw triggered by manipulation of the 'pwd' argument. This allows an unauthenticated remote attacker to execute arbitrary operating system commands on the device. The vulnerability does not require user interaction or prior authentication, making it remotely exploitable over the network. Despite the critical nature of command injection vulnerabilities, this issue has been assigned a medium severity rating with a CVSS 4.0 score of 5.3, reflecting some mitigating factors such as limited scope or impact on confidentiality, integrity, and availability. The vendor has been contacted but has not responded or issued a patch, and no known exploits have been observed in the wild yet. The public disclosure of this vulnerability increases the risk of exploitation by attackers targeting vulnerable Linksys range extenders to gain control over the device, potentially pivoting into internal networks or disrupting network availability.

For European organizations, this vulnerability poses a significant risk especially for those relying on Linksys range extenders in their network infrastructure. Successful exploitation could lead to unauthorized remote code execution, allowing attackers to compromise device integrity, intercept or manipulate network traffic, or use the device as a foothold for lateral movement within corporate networks. This can result in data breaches, service disruptions, or deployment of further malware. Small and medium enterprises (SMEs) and home offices using these devices without timely firmware updates are particularly vulnerable. The lack of vendor response and patches increases exposure time. Given the widespread use of Linksys products in Europe, especially in countries with high adoption of consumer networking equipment in business environments, the threat could impact confidentiality and availability of network services. Additionally, compromised devices could be leveraged in botnets or for launching attacks against other targets, amplifying the threat landscape.

Organizations should immediately inventory their network to identify the presence of affected Linksys range extender models and firmware versions. Where possible, isolate these devices from critical network segments or the internet to reduce exposure. Since no official patches are available, consider temporary mitigations such as disabling remote management interfaces or restricting access to the vulnerable endpoint via firewall rules. Network monitoring should be enhanced to detect anomalous command execution or unusual traffic patterns originating from these devices. If replacement is feasible, upgrade to newer, unaffected hardware or firmware versions once available. Engage with Linksys support channels for updates and advisories. Additionally, implement network segmentation and zero-trust principles to limit the impact of any compromised device. Regularly update device firmware and maintain a vulnerability management program to quickly respond to emerging threats.