CVE-2025-9246 is a high-severity stack-based buffer overflow vulnerability affecting multiple Linksys range extender models, including RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000, specifically in firmware versions 1.0.013.001, 1.0.04.001, 1.0.04.002, 1.1.05.003, and 1.2.07.001. The vulnerability resides in the function check_port_conflict within the /goform/check_port_conflict endpoint. This function processes input parameters single_port_rule and port_range_rule, which, when maliciously crafted, can overflow the stack buffer. This overflow can lead to arbitrary code execution or denial of service. The attack vector is remote network access, requiring no user interaction and minimal privileges (low privileges) to exploit. The vulnerability has a CVSS 4.0 base score of 8.7, indicating high severity, with an exploitability rating of low complexity and no authentication required. The vendor Linksys was notified early but has not responded or issued patches, and while no known exploits are currently observed in the wild, a public exploit has been published, increasing the risk of exploitation. The vulnerability's impact includes potential full compromise of the affected device, allowing attackers to execute arbitrary code, disrupt network connectivity, or pivot into internal networks.

For European organizations, this vulnerability poses significant risks, especially for enterprises and small-to-medium businesses relying on Linksys range extenders to improve wireless coverage. Exploitation could lead to network disruption, loss of device availability, and unauthorized access to internal networks, potentially exposing sensitive data and critical infrastructure. Given that these devices often serve as network bridges or access points, attackers could leverage compromised extenders to launch lateral movement attacks or intercept network traffic. The lack of vendor response and patches increases the window of exposure. Organizations in sectors with high reliance on stable and secure network infrastructure, such as finance, healthcare, and critical infrastructure, are particularly vulnerable. Additionally, home office setups using these devices may be targeted to gain footholds into corporate networks via VPN or remote access connections.

1. Immediate network segmentation: Isolate affected Linksys extenders from critical network segments to limit potential lateral movement. 2. Disable remote management interfaces on affected devices to reduce attack surface. 3. Monitor network traffic for unusual activity originating from or targeting these extenders. 4. Replace or upgrade affected devices where possible, prioritizing models with updated firmware or alternative vendors with timely patch support. 5. If replacement is not immediately feasible, implement strict firewall rules to restrict access to the /goform/check_port_conflict endpoint or block suspicious payloads targeting single_port_rule and port_range_rule parameters. 6. Conduct regular vulnerability scans and penetration tests focusing on network edge devices. 7. Educate IT staff about this vulnerability and the importance of monitoring and rapid response. 8. Engage with Linksys support channels persistently for updates and patches, and consider reporting to national cybersecurity authorities if vendor support remains absent.