CVE-2025-9252 is a high-severity stack-based buffer overflow vulnerability affecting multiple Linksys Wi-Fi range extender models, including RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000, specifically in firmware versions 1.0.013.001, 1.0.04.001, 1.0.04.002, 1.1.05.003, and 1.2.07.001. The vulnerability resides in the function DisablePasswordAlertRedirect, accessible via the /goform/DisablePasswordAlertRedirect endpoint. By manipulating the 'hint' argument passed to this function, an attacker can trigger a stack-based buffer overflow. This type of vulnerability allows an attacker to overwrite memory on the stack, potentially leading to arbitrary code execution, denial of service, or system crashes. The attack vector is remote and does not require user interaction, but does require low-level privileges (PR:L), indicating some form of limited authentication or access is necessary. The CVSS 4.0 score of 8.7 reflects the high impact on confidentiality, integrity, and availability, with low attack complexity and no user interaction needed. The vendor, Linksys, was contacted early but did not respond or provide a patch, and no official patch links are available. Although no known exploits are currently reported in the wild, a public exploit has been released, increasing the risk of exploitation. This vulnerability is critical for network infrastructure security, as compromised range extenders can serve as entry points into internal networks or be used to disrupt network availability.

For European organizations, this vulnerability poses a significant risk to network security and operational continuity. Linksys range extenders are commonly deployed in both enterprise and small-to-medium business environments to extend wireless coverage. Exploitation could allow attackers to execute arbitrary code on the device, potentially gaining a foothold within the internal network, intercepting or manipulating network traffic, or causing denial of service by crashing the device. This could lead to data breaches, disruption of business operations, and compromise of sensitive information. The lack of vendor response and patches increases exposure time, and the public availability of exploits lowers the barrier for attackers. Organizations relying on these devices for critical connectivity, especially in sectors such as finance, healthcare, and government, face elevated risks. Additionally, compromised devices could be leveraged in botnets or lateral movement campaigns targeting European networks.

Given the absence of official patches, European organizations should immediately identify and inventory all affected Linksys range extender models and firmware versions within their networks. As a temporary mitigation, affected devices should be isolated from critical network segments or replaced with devices from vendors with active security support. Network segmentation should be enforced to limit the impact of a compromised device. Administrators should disable remote management interfaces if enabled and restrict access to the management interface to trusted IP addresses only. Monitoring network traffic for unusual activity originating from these devices is recommended. Where possible, implement network-level protections such as firewall rules to block access to the vulnerable endpoint (/goform/DisablePasswordAlertRedirect). Organizations should also engage with Linksys support channels to demand timely patches and monitor for any future firmware updates addressing this vulnerability. Finally, consider deploying intrusion detection/prevention systems capable of detecting exploitation attempts targeting this vulnerability.