CVE-2025-9245 is a high-severity stack-based buffer overflow vulnerability affecting multiple versions of Linksys range extender products, including RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000. The vulnerability resides in the WPSSTAPINEnr function within the /goform/WPSSTAPINEnr endpoint. Specifically, the issue arises from improper handling of the 'ssid' argument, which can be manipulated to overflow the stack buffer. This overflow can lead to arbitrary code execution or denial of service conditions. The vulnerability is remotely exploitable without requiring user interaction or prior authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). The CVSS score of 8.7 (high) reflects the critical nature of this flaw, with high impact on confidentiality, integrity, and availability. Although the vendor was notified early, no response or patch has been provided, and a public exploit is available, increasing the risk of exploitation. The vulnerability affects several firmware versions ranging from 1.0.013.001 to 1.2.07.001, suggesting a broad attack surface across multiple device models. The lack of vendor mitigation and the availability of public exploit code make this a significant threat to networks using these Linksys devices, particularly in environments where these extenders are deployed to enhance wireless coverage.

For European organizations, this vulnerability poses a substantial risk, especially for enterprises, SMBs, and public institutions relying on Linksys range extenders to provide Wi-Fi coverage. Exploitation could allow attackers to execute arbitrary code remotely, potentially gaining control over the device and pivoting into internal networks. This could lead to data breaches, interception of network traffic, disruption of wireless connectivity, and further lateral movement within corporate environments. The vulnerability's ease of exploitation without authentication means attackers can target exposed devices directly from the internet or internal networks. Given the widespread use of Linksys products in Europe, particularly in office and home office setups, the threat could impact confidentiality of sensitive data and availability of network services. The absence of vendor patches increases the likelihood of exploitation, and public exploit availability lowers the barrier for attackers. Critical infrastructure operators, healthcare providers, and financial institutions using these devices are at heightened risk due to the potential for operational disruption and data compromise.

1. Immediate network segmentation: Isolate Linksys extenders from critical network segments to limit potential lateral movement in case of compromise. 2. Disable WPS functionality if not required, as the vulnerability is in the WPSSTAPINEnr function. 3. Implement strict firewall rules to restrict access to the management interfaces of these devices, especially blocking external internet access to the /goform/WPSSTAPINEnr endpoint. 4. Monitor network traffic for unusual patterns or attempts to exploit the ssid parameter, using IDS/IPS solutions with custom signatures targeting this vulnerability. 5. Replace or upgrade affected devices where possible, prioritizing models and firmware versions listed as vulnerable. 6. If replacement is not immediately feasible, consider deploying virtual patching via network security appliances to detect and block exploitation attempts. 7. Maintain rigorous asset inventories to identify all affected devices within the organization. 8. Engage with Linksys support channels regularly for updates or unofficial patches and consider vendor alternatives if no remediation is forthcoming. 9. Educate IT staff about the vulnerability and ensure incident response plans include scenarios involving compromised network extenders.