CVE-2025-6752 is a critical stack-based buffer overflow vulnerability affecting several Linksys router models, including the WRT1900ACS, EA7200, EA7450, and EA7500, specifically up to firmware version 20250619. The vulnerability resides in the Internet Gateway Device (IGD) component, within the /upnp/control/Layer3Forwarding service, in the function SetDefaultConnectionService. This function processes the argument NewDefaultConnectionService, and improper handling of this input allows an attacker to overflow the stack buffer. This type of vulnerability can lead to arbitrary code execution, denial of service, or system compromise. The vulnerability is remotely exploitable without authentication or user interaction, increasing its risk profile. The CVSS 4.0 score is 8.7 (high severity), reflecting the ease of remote exploitation (network vector), lack of required privileges or user interaction, and the high impact on confidentiality, integrity, and availability. The vendor was notified early but has not responded or issued a patch, and a public exploit has been disclosed, though no confirmed exploitation in the wild has been reported yet. This lack of vendor response and public exploit availability heightens the urgency for affected organizations to take protective measures. The vulnerability affects core network infrastructure devices that are often deployed in enterprise and home networks, making it a significant threat vector for attackers seeking to gain persistent access or disrupt network operations.

For European organizations, this vulnerability poses a substantial risk to network security and operational continuity. Linksys routers are widely used in small to medium enterprises and home office environments across Europe. Successful exploitation could allow attackers to execute arbitrary code on the device, potentially leading to full compromise of the router. This could enable interception or manipulation of network traffic, lateral movement within corporate networks, or establishment of persistent backdoors. Confidentiality of sensitive data transmitted through the network could be compromised, and integrity of network configurations and routing could be altered, causing service disruptions. Availability could also be impacted if the device crashes or is rendered inoperable. Given the critical role of routers in network infrastructure, exploitation could have cascading effects on business operations, including disruption of internet connectivity and access to cloud services. The lack of vendor patching increases the window of exposure, and the public exploit availability raises the likelihood of targeted attacks against European organizations, especially those with limited network security monitoring or outdated firmware management practices.

Immediate mitigation steps include: 1) Identifying and inventorying all affected Linksys router models within the organization’s network. 2) Restricting access to the UPnP service, especially the /upnp/control/Layer3Forwarding endpoint, by disabling UPnP entirely if not required, or by implementing strict firewall rules to block external and untrusted internal access to the router’s management interfaces. 3) Segregating network segments to limit exposure of vulnerable devices from untrusted networks or users. 4) Monitoring network traffic for unusual or suspicious UPnP requests that could indicate exploitation attempts. 5) Applying any available vendor updates or firmware patches as soon as they are released; if no official patch is available, consider temporary replacement of affected devices with alternative hardware or firmware that is not vulnerable. 6) Employing network intrusion detection/prevention systems (IDS/IPS) with signatures for this vulnerability or related exploit attempts. 7) Educating IT staff and users about the risks and signs of router compromise. 8) Regularly backing up router configurations and preparing incident response plans for potential compromise scenarios. These measures go beyond generic advice by focusing on UPnP service restriction, network segmentation, and active monitoring tailored to this specific vulnerability.