CVE-2025-9244 is a security vulnerability identified in multiple versions of Linksys range extender devices, specifically models RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 running firmware versions 1.0.013.001, 1.0.04.001, 1.0.04.002, 1.1.05.003, and 1.2.07.001. The vulnerability exists in the addStaticRoute function within the /goform/addStaticRoute endpoint. This function processes parameters related to static routing configuration, including staticRoute_IP_setting, staticRoute_Netmask_setting, staticRoute_Gateway_setting, staticRoute_Metric_setting, and staticRoute_destType_setting. Improper input validation or sanitization of these parameters allows an attacker to inject arbitrary operating system commands. The vulnerability is exploitable remotely without authentication or user interaction, as the affected endpoint is accessible over the network. The vendor was notified but has not issued any response or patch at the time of disclosure. The CVSS v4.0 base score is 5.3, indicating a medium severity level. The vector indicates network attack vector, low attack complexity, no privileges required, no user interaction, and limited impact on confidentiality, integrity, and availability. Although no known exploits are currently observed in the wild, the public disclosure of the vulnerability increases the risk of exploitation attempts. The vulnerability could allow attackers to execute arbitrary commands on the device, potentially leading to device compromise, network reconnaissance, or pivoting to other internal systems.

For European organizations, this vulnerability poses a moderate risk, especially for those relying on Linksys range extenders in their network infrastructure. Compromise of these devices could lead to unauthorized command execution, enabling attackers to manipulate network routing, intercept or redirect traffic, or establish persistent footholds within corporate networks. This could degrade network availability or confidentiality and facilitate further attacks against internal resources. Small and medium enterprises or branch offices using these consumer-grade devices without strict network segmentation are particularly vulnerable. Additionally, critical infrastructure or organizations with remote sites using these extenders could face increased risk of lateral movement by attackers. The lack of vendor response and patches exacerbates the threat, as organizations must rely on mitigation or device replacement. Given the medium CVSS score and the ease of remote exploitation without authentication, the threat should be taken seriously in environments where these devices are deployed.

1. Immediate network-level mitigation: Block external and untrusted network access to the management interface of Linksys RE series devices, especially the /goform/addStaticRoute endpoint, using firewall rules or network segmentation. 2. Disable remote management features on affected devices if not strictly necessary. 3. Replace affected devices with updated hardware from vendors with active security support if possible. 4. Monitor network traffic for unusual requests targeting the addStaticRoute endpoint or suspicious command execution patterns. 5. Implement strict access controls and isolate vulnerable devices on separate VLANs to limit potential lateral movement. 6. Regularly audit and inventory network devices to identify vulnerable Linksys models and firmware versions. 7. If device replacement is not immediately feasible, consider deploying web application firewalls (WAFs) or intrusion prevention systems (IPS) with custom rules to detect and block command injection attempts targeting these devices. 8. Stay alert for vendor updates or community patches and apply them promptly once available.