CVE-2025-9356 is a high-severity stack-based buffer overflow vulnerability affecting multiple Linksys range extender models, including RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000, across firmware versions 1.0.013.001, 1.0.04.001, 1.0.04.002, 1.1.05.003, and 1.2.07.001. The vulnerability resides in the inboundFilterAdd function, specifically in the /goform/inboundFilterAdd endpoint, where improper handling of the ruleName argument allows an attacker to overflow the stack buffer. This flaw can be exploited remotely without user interaction or prior authentication, making it particularly dangerous. The CVSS 4.0 base score is 8.7, indicating high severity, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and high impact on confidentiality, integrity, and availability (VC:H, VI:H, VA:H). The vulnerability could allow an attacker to execute arbitrary code, cause denial of service, or gain unauthorized control over the affected device. Despite early notification, Linksys has not responded or released patches, and while no known exploits are currently observed in the wild, the public disclosure of the exploit code increases the risk of imminent attacks. The affected devices are commonly used as Wi-Fi range extenders in home and small office environments, often connected to critical network infrastructure, potentially serving as a pivot point for lateral movement within networks.

For European organizations, this vulnerability poses a significant risk, especially for small and medium enterprises (SMEs) and home office setups that rely on Linksys range extenders for network coverage. Exploitation could lead to unauthorized access to internal networks, interception or manipulation of network traffic, and disruption of network availability. Given the remote exploitability without authentication, attackers could compromise devices from outside the network perimeter. This could facilitate further attacks such as data exfiltration, deployment of malware, or establishing persistent footholds. Critical sectors such as finance, healthcare, and government agencies using these devices in branch offices or remote locations could face operational disruptions and data breaches. The lack of vendor response and patches exacerbates the threat, forcing organizations to rely on mitigations or device replacement. Additionally, the high confidentiality, integrity, and availability impacts mean that exploitation could severely affect organizational security posture and compliance with European data protection regulations like GDPR.

Organizations should immediately inventory their network infrastructure to identify the presence of affected Linksys range extender models and firmware versions. Since no patches are currently available, practical mitigations include: 1) Isolating affected devices on segmented network zones with strict access controls to limit exposure; 2) Disabling remote management interfaces and restricting access to the /goform/inboundFilterAdd endpoint via firewall rules or network ACLs; 3) Monitoring network traffic for unusual activity or attempts to access the vulnerable endpoint; 4) Replacing vulnerable devices with updated models from vendors with active security support; 5) Implementing network intrusion detection/prevention systems (IDS/IPS) tuned to detect exploitation attempts targeting this vulnerability; 6) Applying strict network segmentation to prevent lateral movement if a device is compromised; 7) Educating IT staff about the vulnerability and ensuring rapid incident response capabilities. Organizations should also regularly check for vendor updates or security advisories and apply patches immediately once available.