CVE-2025-9356 is a high-severity stack-based buffer overflow vulnerability affecting multiple Linksys Wi-Fi range extender models, including RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000, specifically in firmware versions 1.0.013.001, 1.0.04.001, 1.0.04.002, 1.1.05.003, and 1.2.07.001. The vulnerability resides in the function inboundFilterAdd, located in the /goform/inboundFilterAdd endpoint, which processes the argument ruleName. Improper handling of this input allows an attacker to overflow the stack buffer, potentially overwriting control data such as return addresses. This can lead to arbitrary code execution or denial of service. The vulnerability is remotely exploitable without authentication or user interaction, making it particularly dangerous. The CVSS v4.0 score is 8.7 (high), reflecting the network attack vector, low attack complexity, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability. Although the vendor was notified early, no response or patch has been released, and the exploit code has been publicly disclosed, increasing the risk of exploitation. No known exploits are currently observed in the wild, but the public disclosure and lack of patching make this a critical concern for affected users. The vulnerability affects the inbound filtering functionality, which is typically used to control network traffic rules, so exploitation could allow attackers to bypass network security controls or gain persistent access to the device and the internal network.

For European organizations, this vulnerability poses a significant risk, especially for those using Linksys range extenders in their network infrastructure. Compromise of these devices can lead to unauthorized network access, lateral movement within corporate networks, interception or manipulation of internal traffic, and potential disruption of network availability. Since these devices often serve as Wi-Fi extenders in home offices or small branch offices, exploitation could provide attackers a foothold into corporate environments, bypassing perimeter defenses. The lack of vendor response and patch availability increases the window of exposure. Organizations relying on these devices for network extension or segmentation may face confidentiality breaches, integrity violations, and service interruptions. Additionally, critical sectors such as finance, healthcare, and government entities in Europe that use these devices could be targeted for espionage or sabotage. The remote and unauthenticated nature of the exploit means attackers can scan for vulnerable devices and compromise them en masse, potentially leading to large-scale botnets or coordinated attacks impacting European networks.

Given the absence of official patches, European organizations should immediately inventory their network for affected Linksys models and firmware versions. As a temporary mitigation, disable remote management interfaces and restrict access to the /goform/inboundFilterAdd endpoint via firewall rules or network segmentation to trusted management networks only. Replace vulnerable devices with updated hardware from vendors with active security support if possible. Employ network intrusion detection/prevention systems (IDS/IPS) to monitor for exploit attempts targeting this vulnerability. Regularly update network device firmware and monitor vendor advisories for any forthcoming patches. Additionally, implement strict network access controls and segment Wi-Fi extenders from critical network assets to limit potential attacker movement. Conduct penetration testing and vulnerability scanning focused on these devices to identify exploitation attempts. Finally, educate IT staff about this vulnerability to ensure rapid response if exploitation indicators are detected.