CVE-2025-8828 is a medium-severity OS command injection vulnerability affecting multiple Linksys range extender models, including RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000, with firmware versions up to 20250801. The vulnerability resides in the ipv6cmd function within the /goform/setIpv6 endpoint, which processes various IPv6-related parameters such as Ipv6PriDns, Ipv6SecDns, Ipv6StaticGateway, LanIpv6Addr, LanPrefixLen, pppoeUser, pppoePass, and others. Improper sanitization of these input parameters allows an attacker to inject arbitrary operating system commands remotely without authentication or user interaction. This means an attacker can craft malicious requests to the vulnerable endpoint to execute commands on the device with the privileges of the affected service, potentially leading to unauthorized control over the device. The vulnerability was publicly disclosed shortly after being reserved, and the vendor has not responded or issued patches, increasing the risk of exploitation. Although no known exploits are currently reported in the wild, the public disclosure and lack of vendor mitigation raise the likelihood of future exploitation attempts. The CVSS 4.0 base score is 5.3 (medium), reflecting the network attack vector, low attack complexity, no privileges or user interaction required, but limited confidentiality, integrity, and availability impact due to the scope being local to the device. The vulnerability affects critical network infrastructure components used to extend Wi-Fi coverage, which could be leveraged as a foothold for lateral movement or to disrupt network operations.

For European organizations, this vulnerability poses a significant risk to network security and operational continuity. Linksys range extenders are commonly deployed in both enterprise and home office environments to improve wireless coverage. Successful exploitation could allow attackers to gain control over these devices, enabling them to intercept or manipulate network traffic, launch further attacks within the internal network, or disrupt connectivity. This is particularly concerning for organizations relying on these devices for critical communications or remote work setups. The lack of vendor response and patches means organizations must assume the vulnerability remains unmitigated, increasing exposure. Additionally, compromised devices could be used as entry points for espionage, data exfiltration, or to establish persistent access. Given the IPv6 focus of the vulnerability, networks utilizing IPv6 configurations are at higher risk. The potential impact extends to confidentiality, integrity, and availability of network services, though the medium CVSS score suggests the impact is somewhat contained to the device and local network segment rather than widespread systemic failure.

1. Immediate network segmentation: Isolate affected Linksys extenders on separate VLANs or network segments to limit potential lateral movement if compromised. 2. Disable IPv6 functionality on the affected devices if not required, as the vulnerability specifically targets IPv6-related parameters. 3. Restrict remote management access to the extenders by limiting access to trusted IP addresses or disabling remote administration entirely. 4. Monitor network traffic for unusual activity or command injection attempts targeting the /goform/setIpv6 endpoint. 5. Replace or upgrade affected devices where possible, prioritizing models with vendor-supported firmware updates or alternative hardware from vendors with active security maintenance. 6. Employ network intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics capable of detecting command injection attempts against Linksys extenders. 7. Maintain an inventory of all Linksys extenders in use to ensure comprehensive coverage of mitigation efforts. 8. Engage with Linksys support channels to seek updates or official patches and apply them promptly once available. 9. Educate IT staff about this vulnerability to ensure rapid response to any suspicious activity related to these devices.