CVE-2025-9355 is a high-severity stack-based buffer overflow vulnerability affecting multiple Linksys range extender models, including RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000, specifically in firmware versions 1.0.013.001, 1.0.04.001, 1.0.04.002, 1.1.05.003, and 1.2.07.001. The vulnerability resides in the scheduleAdd function, accessible via the /goform/scheduleAdd endpoint. It is triggered by manipulating the ruleName argument, which leads to a stack-based buffer overflow. This type of vulnerability allows an attacker to overwrite the stack memory, potentially enabling arbitrary code execution or causing a denial of service. The vulnerability can be exploited remotely without user interaction or authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). The CVSS 4.0 base score is 8.7, reflecting a high severity due to the ease of exploitation and the critical impact on confidentiality, integrity, and availability. The vendor, Linksys, was notified early but has not responded or issued patches, increasing the risk for affected users. Although no known exploits are currently reported in the wild, the public availability of exploit code raises the likelihood of imminent attacks. The vulnerability's exploitation could allow attackers to gain control over the device, intercept or manipulate network traffic, or pivot into internal networks, especially in environments where these range extenders are deployed as part of enterprise or home office networks.

For European organizations, the impact of CVE-2025-9355 can be significant. Linksys range extenders are commonly used to improve wireless coverage in both residential and small to medium business environments. Exploitation could lead to unauthorized access to internal networks, data interception, and lateral movement within corporate infrastructures. This is particularly concerning for organizations relying on these devices for secure remote access or as part of their network perimeter. The lack of vendor response and patches increases exposure time, raising the risk of targeted attacks. Confidentiality breaches could expose sensitive corporate or personal data, while integrity and availability impacts could disrupt business operations. Additionally, compromised devices could be leveraged as entry points for broader cyberattacks, including ransomware or espionage campaigns. The vulnerability's remote exploitability without authentication makes it a critical threat vector, especially in environments with limited network segmentation or outdated device management practices.

Given the absence of official patches from Linksys, European organizations should implement immediate compensating controls. First, isolate affected devices from critical network segments and restrict management interface access to trusted IP addresses via firewall rules. Disable remote management features if enabled, and monitor network traffic for unusual activity originating from or targeting these devices. Network segmentation should be enforced to limit potential lateral movement. Organizations should consider replacing vulnerable Linksys range extenders with devices from vendors that provide timely security updates. Additionally, deploying intrusion detection/prevention systems (IDS/IPS) with signatures for buffer overflow attempts targeting /goform/scheduleAdd can help detect exploitation attempts. Regularly auditing device firmware versions and maintaining an inventory of network hardware will aid in identifying and mitigating risks promptly. Finally, educating IT staff about this vulnerability and encouraging vigilance for indicators of compromise is essential until a vendor patch becomes available.