CVE-2025-8828 is a medium-severity OS command injection vulnerability affecting multiple Linksys range extender models, including RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 with firmware versions up to 20250801. The vulnerability resides in the ipv6cmd function within the /goform/setIpv6 endpoint. Specifically, the flaw arises from improper sanitization of several IPv6-related parameters such as Ipv6PriDns, Ipv6SecDns, Ipv6StaticGateway, LanIpv6Addr, LanPrefixLen, pppoeUser, pppoePass, pppoeIdleTime, pppoeRedialPeriod, Ipv6in4_PrefixLen, LocalIpv6, RemoteIpv4, LanIPv6_Prefix, ipv6to4Relay, ipv6rdRelay, tunrd_PrefixLen, wan_UseLinkLocal, Ipv6StaticIp, and Ipv6PrefixLen. An attacker can remotely send crafted requests to this endpoint, injecting arbitrary OS commands that the device executes with elevated privileges. This can lead to unauthorized command execution on the device, potentially allowing attackers to manipulate device configurations, pivot into internal networks, or disrupt network availability. The vulnerability does not require user interaction or authentication, increasing its risk profile. Although the vendor was notified early, no response or patch has been provided, and public exploit details have been disclosed, increasing the likelihood of exploitation. The CVSS 4.0 base score is 5.3, reflecting a medium severity with network attack vector, low complexity, no authentication required, and partial impacts on confidentiality, integrity, and availability.

For European organizations, this vulnerability poses a significant risk, especially for enterprises and SMEs relying on Linksys range extenders to enhance wireless network coverage. Successful exploitation could lead to unauthorized control over network devices, enabling attackers to intercept or manipulate network traffic, disrupt connectivity, or use the compromised device as a foothold for lateral movement within corporate networks. This is particularly concerning for organizations with sensitive data or critical infrastructure relying on stable and secure network environments. The lack of vendor response and patch availability increases exposure time. Additionally, the vulnerability's focus on IPv6 parameters is notable as IPv6 adoption is growing in Europe, potentially increasing the attack surface. The ability to exploit remotely without authentication means attackers can target vulnerable devices over the internet or internal networks, raising the risk of widespread compromise.

Given the absence of an official patch, European organizations should implement immediate compensating controls. First, isolate affected Linksys devices from direct internet exposure by placing them behind firewalls or network segmentation to restrict access to the /goform/setIpv6 endpoint. Disable IPv6 functionality on these devices if not required, reducing the attack surface related to the vulnerable parameters. Monitor network traffic for unusual requests targeting the vulnerable endpoint or suspicious command execution patterns. Employ intrusion detection/prevention systems (IDS/IPS) with updated signatures to detect exploitation attempts. Where feasible, replace vulnerable Linksys extenders with devices from vendors providing timely security updates. For organizations with in-house firmware expertise, consider applying custom firmware or configuration hardening to sanitize inputs or disable vulnerable services. Maintain strict network access controls and regularly audit device configurations. Finally, maintain heightened awareness for related threat intelligence updates and be prepared to apply vendor patches promptly once available.