CVE-2025-8822 is a high-severity stack-based buffer overflow vulnerability affecting multiple Linksys range extender models, including RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000, specifically up to firmware version 20250801. The vulnerability resides in the function algDisable within the /goform/setOpMode endpoint. An attacker can manipulate the 'opMode' argument to trigger a stack-based buffer overflow, which can be exploited remotely without requiring user interaction or prior authentication. This vulnerability allows an attacker to potentially execute arbitrary code on the device, leading to full compromise of the affected range extender. The CVSS 4.0 score is 8.7, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and no privileges or user interaction needed. The vendor was notified early but has not responded or issued a patch, and public exploit code has been disclosed, increasing the risk of exploitation. The vulnerability affects the core network functionality of these devices, which are commonly used to extend Wi-Fi coverage in home and small office environments. Successful exploitation could allow attackers to intercept, manipulate, or disrupt network traffic, pivot into internal networks, or use the compromised device as a foothold for further attacks.

For European organizations, this vulnerability poses significant risks, especially for small and medium enterprises (SMEs) and home offices that rely on Linksys range extenders to maintain network connectivity. Compromise of these devices can lead to unauthorized access to internal networks, data interception, and potential lateral movement to more critical infrastructure. The lack of vendor response and available patches increases the window of exposure. Given the remote exploitability and no requirement for authentication, attackers can target vulnerable devices en masse, potentially leading to widespread network disruptions or data breaches. Critical sectors such as finance, healthcare, and government entities using these devices for network extension could face confidentiality breaches and operational downtime. Additionally, compromised devices could be enlisted into botnets or used to launch further attacks, amplifying the threat landscape in Europe.

Immediate mitigation steps include isolating affected Linksys range extenders from critical network segments and the internet to reduce exposure. Network administrators should monitor network traffic for unusual activity originating from these devices. Deploy network segmentation to limit the potential impact of a compromised extender. Since no official patches are available, organizations should consider replacing vulnerable devices with models from vendors that provide timely security updates. Implement strict firewall rules to restrict access to the /goform/setOpMode endpoint and disable remote management features if not required. Regularly audit and update network device inventories to identify and track vulnerable hardware. Employ intrusion detection systems (IDS) and endpoint detection and response (EDR) solutions to detect exploitation attempts. Finally, maintain close monitoring of vendor communications for any forthcoming patches or advisories.