CVE-2025-9249 is a high-severity stack-based buffer overflow vulnerability affecting multiple versions of Linksys range extender devices, specifically models RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 running firmware versions 1.0.013.001, 1.0.04.001, 1.0.04.002, 1.1.05.003, and 1.2.07.001. The vulnerability resides in the DHCPReserveAddGroup function, which processes parameters such as enable_group, name_group, ip_group, and mac_group via the /goform/DHCPReserveAddGroup endpoint. Improper handling of these input arguments leads to a stack-based buffer overflow, allowing an attacker to overwrite memory on the device's stack. This flaw can be exploited remotely without authentication or user interaction, as the vulnerable endpoint is accessible over the network. The CVSS 4.0 score of 8.7 reflects the high impact and ease of exploitation, with the vector indicating network attack vector, low attack complexity, no privileges required, and no user interaction needed. The vulnerability impacts confidentiality, integrity, and availability with high severity, as an attacker could execute arbitrary code, potentially leading to device compromise, network pivoting, or denial of service. The vendor Linksys was notified but has not responded or issued patches, and no known exploits are publicly reported yet, though public disclosure of the exploit code exists, increasing the risk of imminent attacks. This vulnerability is critical for environments relying on these Linksys extenders for network connectivity and security, especially where these devices are exposed to untrusted networks or the internet.

For European organizations, the impact of CVE-2025-9249 can be significant. Linksys range extenders are commonly used in small to medium enterprises and home office environments to extend Wi-Fi coverage. A successful exploitation could allow attackers to gain control over the affected device, enabling interception or manipulation of network traffic, lateral movement within corporate networks, or disruption of network services. This can lead to data breaches, loss of sensitive information, and operational downtime. Given the remote exploitability without authentication, attackers could target exposed devices directly from the internet or via compromised internal hosts. Critical infrastructure sectors, financial institutions, and government agencies using these devices for network extension could face elevated risks. Additionally, the lack of vendor response and patches increases the window of exposure, necessitating immediate mitigation. The vulnerability also poses risks to privacy compliance under GDPR if personal data is intercepted or compromised due to network device exploitation.

1. Immediate network segmentation: Isolate Linksys extenders from critical network segments and restrict management interface access to trusted administrators only, preferably via VPN or secure management VLANs. 2. Disable remote management features on affected devices to prevent external exploitation. 3. Monitor network traffic for unusual activity originating from or targeting these extenders, including scanning for attempts to access /goform/DHCPReserveAddGroup. 4. Replace or upgrade affected devices where possible, prioritizing models without this vulnerability or from vendors with active security support. 5. If replacement is not immediately feasible, implement firewall rules to block inbound traffic to the vulnerable endpoint and limit access to the extenders. 6. Conduct regular vulnerability scans and penetration tests focusing on network infrastructure devices to detect exploitation attempts. 7. Maintain an inventory of all Linksys extenders in use, including firmware versions, to identify and prioritize remediation efforts. 8. Engage with Linksys support channels to seek updates or patches and monitor security advisories for any forthcoming fixes.