CVE-2025-9250 is a high-severity stack-based buffer overflow vulnerability affecting multiple Linksys range extender models, including RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000, specifically in firmware versions 1.0.013.001, 1.0.04.001, 1.0.04.002, 1.1.05.003, and 1.2.07.001. The vulnerability resides in the function setPWDbyBBS within the /goform/setPWDbyBBS endpoint. This function improperly handles the 'hint' argument, allowing an attacker to craft a malicious request that overflows the stack buffer. This overflow can lead to arbitrary code execution or cause the device to crash, resulting in denial of service. The vulnerability can be exploited remotely without user interaction or authentication, increasing its risk profile. The CVSS 4.0 base score is 8.7, reflecting the ease of remote exploitation (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and high impact on confidentiality, integrity, and availability (VC:H, VI:H, VA:H). Although no patches have been released and the vendor has not responded to disclosure attempts, a public exploit is available, which raises the likelihood of active exploitation in the wild. The vulnerability affects the core functionality of these devices, which are commonly used to extend wireless network coverage, potentially exposing internal networks to compromise if exploited.

For European organizations, this vulnerability poses a significant risk, especially for those relying on Linksys range extenders in their network infrastructure. Exploitation could allow attackers to gain unauthorized access to internal networks by compromising the range extender, which often bridges wireless and wired segments. This could lead to data exfiltration, lateral movement within corporate networks, or disruption of network availability. Given the remote and unauthenticated nature of the exploit, attackers can target vulnerable devices over the internet or local networks without requiring user interaction. The lack of vendor response and patches increases the window of exposure. Organizations in sectors with stringent data protection requirements, such as finance, healthcare, and critical infrastructure, may face regulatory and operational consequences if exploited. Additionally, compromised devices could be leveraged as entry points for broader cyberattacks or as part of botnets, amplifying the threat landscape in Europe.

Immediate mitigation should focus on identifying and isolating vulnerable Linksys range extenders within the network. Network administrators should conduct thorough inventories to detect affected models and firmware versions. Until patches are available, organizations should restrict remote access to these devices by implementing firewall rules that block inbound traffic to the management interfaces, especially the /goform/setPWDbyBBS endpoint if possible. Disabling remote management features or changing default credentials can reduce exposure. Network segmentation should be enforced to limit the range extender's access to critical systems. Monitoring network traffic for unusual patterns or exploit attempts targeting the vulnerable endpoint is recommended. Where feasible, replacing vulnerable devices with models from vendors with active security support is advisable. Organizations should also engage with Linksys support channels to seek updates or advisories and subscribe to vulnerability intelligence feeds for timely patch releases. Implementing intrusion detection/prevention systems (IDS/IPS) with signatures for this exploit can provide additional defense layers.