CVE-2025-5447 is a security vulnerability identified in multiple Linksys range extender models, including RE6500, RE6250, RE6300, RE6350, RE7000, and RE9000, across several firmware versions (1.0.013.001, 1.0.04.001, 1.0.04.002, 1.1.05.003, and 1.2.07.001). The vulnerability resides in the ssid1MACFilter function within the /goform/ssid1MACFilter endpoint. Specifically, the vulnerability arises from improper sanitization of the input parameters apselect_%d and newap_text_%d, which can be manipulated to inject arbitrary operating system commands. This type of flaw is categorized as OS command injection, allowing an attacker to execute arbitrary commands on the underlying device remotely without requiring authentication or user interaction. The vulnerability is remotely exploitable over the network, increasing its risk profile. Although the vendor was notified early, no response or patch has been issued, and the exploit details have been publicly disclosed, increasing the likelihood of exploitation. The CVSS v4.0 score is 5.3 (medium severity), reflecting the ease of remote exploitation but with limited impact on confidentiality, integrity, and availability due to partial scope and privileges required (low privileges). However, the absence of vendor mitigation and public exploit availability elevate the practical risk. The affected devices are consumer and small business Wi-Fi range extenders commonly used to improve wireless coverage, which often have privileged network access and may be part of home or small office networks.

For European organizations, the impact of this vulnerability can vary depending on the deployment of affected Linksys range extenders within their network infrastructure. While these devices are primarily consumer-grade, they are sometimes used in small office/home office (SOHO) environments or branch offices to extend wireless coverage. Successful exploitation could allow attackers to execute arbitrary commands on the device, potentially leading to network reconnaissance, lateral movement, or establishing persistent footholds within the network. This could compromise network segmentation and expose internal resources. Additionally, compromised devices could be used as pivot points for launching further attacks or as part of botnets. Given the lack of vendor response and patches, organizations relying on these devices face prolonged exposure. The medium CVSS score suggests moderate risk, but the real-world impact could be higher if attackers leverage the vulnerability to gain deeper network access. European organizations with distributed or remote work environments using these devices are particularly at risk, as attackers can exploit the vulnerability remotely without authentication. The exposure is heightened in countries with higher market penetration of Linksys products or where small businesses rely heavily on consumer-grade networking equipment.

1. Immediate network segmentation: Isolate affected Linksys range extenders from critical network segments to limit potential lateral movement if compromised. 2. Disable remote management interfaces on these devices to reduce attack surface. 3. Monitor network traffic for unusual activity originating from or targeting these devices, including command injection attempts. 4. Replace affected devices with models from vendors that provide timely security updates, or use enterprise-grade equipment with robust security controls. 5. If replacement is not immediately feasible, restrict device management access to trusted IP addresses and implement strict firewall rules. 6. Regularly audit firmware versions and device configurations to identify vulnerable devices. 7. Employ network intrusion detection/prevention systems (IDS/IPS) with signatures for known exploits targeting this vulnerability once available. 8. Engage with Linksys support channels and monitor for any future patches or advisories. 9. Educate IT staff about the risks of consumer-grade devices in business environments and encourage procurement policies favoring secure, supported hardware.