CVE-2025-60696 is a stack-based buffer overflow vulnerability identified in the makeRequest.cgi binary of Linksys RE7000 routers, specifically those running firmware version FW_v2.0.15_211230_1012. The vulnerability stems from the arplookup function, which parses entries from the /proc/net/arp file using the sscanf function with format specifiers "%16s" and "%18s" to extract strings into buffers v6 and v7, sized 12 and 20 bytes respectively. Because sscanf allows up to 16 and 18 bytes to be read, this can overflow the smaller buffers, causing stack corruption. This overflow can be exploited by a local attacker who can manipulate the contents of /proc/net/arp, which typically requires elevated privileges or local access. The consequences of exploitation include denial of service through crashing the router or potentially executing arbitrary code, which could lead to full compromise of the device. No public exploits are currently known, and no official patch or CVSS score has been published. The vulnerability highlights unsafe parsing practices and insufficient buffer size validation in embedded router firmware, which is critical given the widespread use of such devices in enterprise and home networks. The lack of authentication or remote exploitability reduces the attack surface but does not eliminate risk, especially in environments where local access can be gained through compromised devices or insider threats.

For European organizations, the impact of CVE-2025-60696 could be significant in environments where Linksys RE7000 routers are deployed, particularly in branch offices, small to medium enterprises, or home office setups that connect to corporate networks. Exploitation could lead to denial of service, disrupting network connectivity and business operations. More critically, if arbitrary code execution is achieved, attackers could gain persistent control over network infrastructure, enabling interception of sensitive data, lateral movement, or launching further attacks. This risk is heightened in sectors with stringent availability and confidentiality requirements such as finance, healthcare, and critical infrastructure. The local access requirement limits remote exploitation but does not preclude attacks via compromised internal hosts or malicious insiders. Given the router’s role as a network gateway, compromise could undermine perimeter defenses and expose internal systems to external threats.

Immediate mitigation should focus on restricting local access to the router’s management interfaces and ensuring that only trusted users can interact with the device. Network segmentation can limit exposure of the router to untrusted hosts. Administrators should monitor for unusual activity or crashes related to the makeRequest.cgi process. Since no official patch is currently available, organizations should contact Linksys for firmware updates or advisories addressing this vulnerability. If feasible, replacing affected routers with models confirmed to be free of this vulnerability is advisable. Additionally, implementing host-based protections to prevent unauthorized modification of /proc/net/arp or limiting the ability of local users to influence this file can reduce risk. Regularly auditing router configurations and applying principle of least privilege to local accounts will further mitigate exploitation potential.