CVE-2025-8823 is a security vulnerability identified in several Linksys Wi-Fi range extender models, including RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000, affecting firmware versions up to 20250801. The vulnerability resides in the setDeviceName function within the /goform/setDeviceName endpoint. Specifically, the DeviceName parameter is susceptible to OS command injection due to insufficient input validation or sanitization. This flaw allows an unauthenticated remote attacker to inject arbitrary operating system commands by manipulating the DeviceName argument. The attack vector is remote and does not require user interaction or prior authentication, increasing the risk of exploitation. Although the vendor was notified early, no response or patch has been issued, and the exploit details have been publicly disclosed, raising the likelihood of potential exploitation. The CVSS v4.0 base score is 5.3 (medium severity), reflecting the moderate impact and ease of exploitation without authentication but with limited confidentiality, integrity, and availability impact. The vulnerability could allow attackers to execute arbitrary commands on the device, potentially leading to device compromise, network pivoting, or disruption of network services provided by the affected range extenders.

For European organizations, this vulnerability poses a tangible risk, especially for those relying on Linksys range extenders in their network infrastructure. Compromise of these devices could lead to unauthorized access to internal networks, interception or manipulation of network traffic, and potential lateral movement to more critical systems. Given that range extenders often operate at the network edge and may have elevated privileges or access to internal segments, attackers could leverage this vulnerability to establish persistent footholds or disrupt connectivity. The lack of vendor response and patch availability increases the window of exposure. Organizations in sectors with high reliance on stable and secure network infrastructure—such as finance, healthcare, and government—may face operational disruptions or data breaches. Additionally, the remote and unauthenticated nature of the exploit lowers the barrier for attackers, including cybercriminals and state-sponsored actors, to exploit this vulnerability at scale.

Immediate mitigation steps include isolating affected Linksys range extenders from critical network segments and restricting remote management access to trusted IP addresses or VPNs. Network administrators should monitor network traffic for unusual commands or patterns targeting the /goform/setDeviceName endpoint. Employing network-level intrusion detection/prevention systems (IDS/IPS) with custom signatures to detect attempts to exploit this command injection can help reduce risk. Since no official patch is available, organizations should consider replacing vulnerable devices with models from vendors that provide timely security updates. Additionally, implementing strict network segmentation to limit the range extenders' access to sensitive internal resources can minimize potential damage. Regularly auditing device firmware versions and configurations, and disabling unnecessary services or remote management interfaces, will further reduce the attack surface.