CVE-2025-8825 is a security vulnerability affecting multiple Linksys range extender models including RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 with firmware versions up to 20250801. The vulnerability exists in the RP_setBasicAuto function within the /goform/RP_setBasicAuto endpoint. Specifically, the issue arises from improper sanitization of the staticIp and staticNetmask parameters, which are used in OS command execution. An attacker can remotely manipulate these parameters to perform OS command injection, allowing arbitrary command execution on the device with the privileges of the affected service. This vulnerability does not require user interaction or authentication, making it remotely exploitable over the network. The vendor, Linksys, was notified early but has not responded or provided a patch at the time of disclosure. The CVSS v4.0 base score is 5.3 (medium severity), reflecting a network attack vector with low complexity, no privileges required, and no user interaction, but limited impact on confidentiality, integrity, and availability. Although no known exploits have been observed in the wild yet, the public disclosure of the exploit code increases the risk of exploitation. This vulnerability could allow attackers to compromise the device, potentially pivot into internal networks, intercept or manipulate traffic, or disrupt network connectivity.

For European organizations, this vulnerability poses a moderate risk, especially for enterprises and service providers using Linksys range extenders in their network infrastructure. Successful exploitation could lead to unauthorized control over network devices, enabling attackers to intercept sensitive communications, launch further attacks within the internal network, or cause denial of service by disrupting network connectivity. Given the widespread use of Linksys products in small and medium-sized businesses and home office environments across Europe, the vulnerability could be leveraged to target less hardened network segments. Critical infrastructure operators or organizations with remote sites relying on these extenders may face increased exposure. The lack of vendor response and patches increases the window of opportunity for attackers. Additionally, the remote and unauthenticated nature of the exploit makes it accessible to a broad range of threat actors, including opportunistic attackers and automated scanning tools. However, the medium severity score indicates that while impactful, the vulnerability may not lead to full network compromise without additional factors.

Organizations should immediately inventory their network to identify the presence of affected Linksys range extender models and firmware versions. Until a vendor patch is available, network segmentation should be enforced to isolate vulnerable devices from critical systems and sensitive data. Access to the management interfaces of these devices should be restricted via firewall rules, VPNs, or network access control lists to trusted administrators only. Monitoring network traffic for unusual commands or connections to the /goform/RP_setBasicAuto endpoint can help detect exploitation attempts. Where possible, disable remote management features or change default credentials to reduce exposure. Consider replacing vulnerable devices with alternative hardware from vendors with active security support if patching is not forthcoming. Regularly check for vendor updates or security advisories. Implementing intrusion detection systems with signatures for this vulnerability can provide early warning. Finally, educate IT staff about the risks and signs of exploitation related to this vulnerability.