CVE-2025-9355 is a high-severity stack-based buffer overflow vulnerability affecting multiple Linksys range extender models, including RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000, across various firmware versions (1.0.013.001, 1.0.04.001, 1.0.04.002, 1.1.05.003, and 1.2.07.001). The vulnerability resides in the function scheduleAdd within the /goform/scheduleAdd endpoint, where improper handling of the ruleName argument allows an attacker to overflow the stack buffer. This flaw can be exploited remotely without authentication or user interaction, as the vulnerable endpoint is accessible over the network. The buffer overflow can lead to arbitrary code execution with elevated privileges, compromising the confidentiality, integrity, and availability of the device and potentially the broader network it supports. Despite early notification, Linksys has not responded or issued patches, and a public exploit exists, increasing the risk of exploitation. The CVSS 4.0 score of 8.7 reflects the high impact and ease of exploitation, with no privileges or user interaction required, and full compromise potential. This vulnerability is critical for environments relying on these Linksys extenders for network extension and security, as attackers could leverage this flaw to gain persistent footholds or pivot into internal networks.

For European organizations, the impact of CVE-2025-9355 is significant, especially for small and medium enterprises (SMEs) and home office environments that commonly deploy consumer-grade Linksys range extenders to improve Wi-Fi coverage. Exploitation could lead to unauthorized network access, data interception, or lateral movement within corporate networks, undermining data confidentiality and operational integrity. Critical infrastructure or organizations with remote sites using these devices are at heightened risk of disruption or espionage. The lack of vendor response and patches exacerbates the threat, forcing organizations to consider device replacement or network segmentation to mitigate risks. Additionally, compromised extenders could be used as entry points for broader attacks, including ransomware or supply chain compromises, impacting business continuity and regulatory compliance under GDPR and other European data protection laws.

Given the absence of official patches, European organizations should immediately identify and inventory all affected Linksys devices in their networks. Practical mitigations include: 1) Isolating vulnerable extenders on segmented VLANs or guest networks to limit lateral movement; 2) Disabling remote management interfaces and restricting access to trusted IPs only; 3) Employing network intrusion detection systems (NIDS) to monitor for exploit attempts targeting /goform/scheduleAdd; 4) Considering temporary removal or replacement of vulnerable devices with models from vendors providing timely security updates; 5) Applying strict firewall rules to block unsolicited inbound traffic to the extenders; 6) Monitoring network traffic for anomalies indicative of exploitation attempts; and 7) Educating IT staff on the vulnerability and ensuring incident response plans include this threat. Organizations should also engage with Linksys or authorized resellers for updates and consider vendor alternatives if support remains unavailable.