CVE-2025-8822 is a high-severity stack-based buffer overflow vulnerability affecting multiple Linksys Wi-Fi range extender models, including RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000, specifically in firmware versions up to 20250801. The vulnerability resides in the function algDisable within the /goform/setOpMode endpoint, where improper handling of the 'opMode' argument allows an attacker to overflow the stack buffer. This flaw can be exploited remotely without requiring user interaction or prior authentication, making it particularly dangerous. The vulnerability enables an attacker to execute arbitrary code on the affected device, potentially leading to full device compromise, disruption of network services, or use of the device as a pivot point for further attacks within the network. Despite early notification, the vendor has not responded or issued patches, and public exploit code has been disclosed, increasing the risk of exploitation. The CVSS 4.0 base score of 8.7 reflects the vulnerability's high impact on confidentiality, integrity, and availability, combined with its ease of remote exploitation without authentication or user interaction.

For European organizations, this vulnerability poses a significant risk, especially for those relying on Linksys range extenders in their network infrastructure. Successful exploitation could lead to unauthorized control over network devices, enabling attackers to intercept or manipulate sensitive communications, disrupt network availability, or establish persistent footholds for lateral movement. This is particularly critical for sectors with stringent data protection requirements such as finance, healthcare, and government institutions. The lack of vendor response and patches increases exposure time, raising the likelihood of attacks. Additionally, compromised devices could be leveraged in botnets or as launch points for attacks against other internal or external targets, amplifying the threat landscape for European enterprises and critical infrastructure.

Given the absence of official patches, organizations should immediately audit their networks to identify the presence of affected Linksys range extender models and firmware versions. Where possible, disable or isolate these devices from critical network segments to limit exposure. Network segmentation and strict access controls should be enforced to prevent unauthorized access to management interfaces. Employ network intrusion detection systems (NIDS) with signatures or heuristics capable of detecting exploitation attempts targeting /goform/setOpMode requests. Consider replacing vulnerable devices with models from vendors providing timely security updates. Additionally, monitor network traffic for unusual patterns indicative of exploitation attempts or device compromise. Organizations should also engage with Linksys support channels to demand timely remediation and monitor security advisories for updates or patches.