CVE-2025-9248 is a high-severity stack-based buffer overflow vulnerability affecting multiple Linksys range extender models, including RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000, across firmware versions 1.0.013.001, 1.0.04.001, 1.0.04.002, 1.1.05.003, and 1.2.07.001. The vulnerability resides in the RP_pingGatewayByBBS function within the /goform/RP_pingGatewayByBBS endpoint. Specifically, the flaw arises from improper handling of the ssidhex argument, which can be manipulated remotely to trigger a stack-based buffer overflow. This type of vulnerability allows an attacker to overwrite the stack memory, potentially leading to arbitrary code execution, denial of service, or system compromise. The attack vector is remote network access, requiring no user interaction or authentication, which significantly increases the risk profile. Although the vendor was notified early, no response or patch has been issued, and a public exploit is available, increasing the likelihood of exploitation. The CVSS 4.0 base score is 8.7, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and no privileges or user interaction required. This vulnerability is critical for environments relying on these Linksys devices for network extension, as exploitation could lead to full device compromise and pivoting into internal networks.

For European organizations, this vulnerability poses a significant risk, especially for small and medium enterprises and home office setups that commonly use Linksys range extenders to improve wireless coverage. Successful exploitation could lead to unauthorized access to internal networks, interception or manipulation of network traffic, and disruption of network availability. Given the remote exploitability without authentication, attackers could leverage this vulnerability to establish persistent footholds or launch further attacks on corporate infrastructure. Critical sectors such as finance, healthcare, and government agencies using these devices may face data breaches, operational disruptions, and compliance violations under GDPR due to compromised network security. The lack of vendor response and patches exacerbates the threat, requiring organizations to take immediate protective measures. Additionally, the presence of a public exploit increases the risk of widespread attacks, including by opportunistic cybercriminals and advanced persistent threat actors targeting European entities.

Organizations should immediately inventory their network infrastructure to identify the presence of affected Linksys range extender models and firmware versions. Given the absence of official patches, the primary mitigation is to isolate these devices from critical network segments and restrict remote access to management interfaces. Network segmentation should be enforced to limit potential lateral movement if a device is compromised. Disabling or restricting the /goform/RP_pingGatewayByBBS endpoint via firewall rules or device configuration, if possible, can reduce attack surface. Where feasible, replace vulnerable devices with updated or alternative hardware from vendors with active security support. Monitoring network traffic for anomalous activity targeting these devices and deploying intrusion detection/prevention systems with signatures for this exploit can provide early warning. Organizations should also implement strict access controls and consider using VPNs or secure tunnels for remote management. Finally, maintain heightened vigilance for indicators of compromise related to this vulnerability and prepare incident response plans accordingly.