CVE-2025-9249 is a high-severity stack-based buffer overflow vulnerability affecting multiple Linksys range extender models, including RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000, specifically in firmware versions 1.0.013.001, 1.0.04.001, 1.0.04.002, 1.1.05.003, and 1.2.07.001. The vulnerability resides in the DHCPReserveAddGroup function, located in the /goform/DHCPReserveAddGroup endpoint. This function improperly handles input parameters such as enable_group, name_group, ip_group, and mac_group, allowing an attacker to craft malicious requests that overflow the stack buffer. The overflow can lead to arbitrary code execution or cause the device to crash, resulting in denial of service. The vulnerability is remotely exploitable without user interaction or authentication, increasing its risk profile. Although the vendor was notified early, there has been no response or patch released at the time of publication. The CVSS v4.0 score is 8.7, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and no privileges or user interaction required. The exploit has been publicly disclosed, but no known active exploitation has been reported yet. Given the nature of the vulnerability, attackers could leverage it to gain control over the affected devices, potentially pivoting into internal networks or disrupting network connectivity.

For European organizations, this vulnerability poses a significant risk, especially for enterprises and small-to-medium businesses relying on Linksys range extenders for network coverage. Successful exploitation could allow attackers to execute arbitrary code on these devices, compromising network integrity and confidentiality. This could lead to interception or manipulation of internal traffic, unauthorized access to connected devices, or disruption of network services. Critical infrastructure operators and organizations with sensitive data could face operational disruptions or data breaches. The lack of vendor response and patches increases the window of exposure. Additionally, since these devices are often deployed in home offices and branch locations, the vulnerability could be exploited as an entry point into corporate networks, undermining perimeter defenses. The remote, unauthenticated nature of the exploit further elevates the threat, making it accessible to a wide range of attackers, including opportunistic threat actors and potentially nation-state actors targeting European entities.

Immediate mitigation should focus on network-level controls and device management. Organizations should identify and inventory all affected Linksys range extenders within their environment. Where possible, isolate these devices from critical network segments and restrict access to the /goform/DHCPReserveAddGroup endpoint using firewall rules or network segmentation. Disable remote management features on these devices to reduce exposure. Employ intrusion detection systems (IDS) or intrusion prevention systems (IPS) with signatures or heuristics to detect anomalous DHCPReserveAddGroup requests indicative of exploitation attempts. Monitor network traffic for unusual patterns targeting these devices. Since no official patches are available, consider replacing vulnerable devices with updated hardware or alternative products from vendors with active security support. Additionally, implement strict network access controls and multi-factor authentication on upstream network devices to limit lateral movement if a device is compromised. Regularly review vendor communications for updates or patches and apply them promptly once available.