CVE-2025-9357 is a high-severity stack-based buffer overflow vulnerability affecting multiple Linksys range extender models, including RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000, across several firmware versions (1.0.013.001, 1.0.04.001, 1.0.04.002, 1.1.05.003, and 1.2.07.001). The vulnerability resides in the langSwitchByBBS function within the /goform/langSwitchByBBS endpoint. Specifically, the flaw arises from improper handling of the langSelectionOnly argument, which can be manipulated remotely to trigger a stack-based buffer overflow. This type of vulnerability allows an attacker to overwrite the call stack, potentially leading to arbitrary code execution, denial of service, or system compromise. The vulnerability can be exploited remotely without user interaction or authentication, increasing its risk profile. The CVSS 4.0 base score is 8.7, reflecting its high impact on confidentiality, integrity, and availability, with low attack complexity and no privileges or user interaction required. Although the vendor was contacted early, no response or patch has been issued, and a public exploit is available, increasing the likelihood of exploitation. This vulnerability affects the core firmware of Linksys range extenders, which are commonly deployed in home and small office networks to extend Wi-Fi coverage. The lack of a patch and public exploit availability make this a critical concern for affected users and organizations relying on these devices for network connectivity and security.

For European organizations, the exploitation of CVE-2025-9357 could lead to significant security breaches. Compromised Linksys range extenders can serve as entry points into internal networks, allowing attackers to intercept, manipulate, or disrupt network traffic. This can result in data exfiltration, unauthorized access to sensitive systems, lateral movement within corporate networks, and potential deployment of further malware or ransomware. The vulnerability's remote exploitability without authentication means attackers can target these devices over the internet or local networks, increasing the attack surface. Small and medium enterprises (SMEs) and home offices that rely on these extenders for network connectivity are particularly at risk, as they may lack robust network segmentation or monitoring. Additionally, the absence of vendor response and patches increases the window of exposure. Given the critical role of network infrastructure in operational continuity, exploitation could lead to downtime, loss of customer trust, regulatory non-compliance (e.g., GDPR breaches), and financial losses.

1. Immediate Network Segmentation: Isolate affected Linksys range extenders from critical network segments to limit potential lateral movement if compromised. 2. Disable Remote Management: If remote management features are enabled on these devices, disable them to reduce exposure to remote attacks. 3. Monitor Network Traffic: Implement enhanced network monitoring and intrusion detection systems to identify anomalous traffic patterns indicative of exploitation attempts targeting the /goform/langSwitchByBBS endpoint. 4. Replace or Upgrade Hardware: Where possible, replace vulnerable Linksys extenders with devices from vendors that provide timely security updates. If replacement is not feasible, consider downgrading or upgrading firmware to versions not affected by this vulnerability, if available. 5. Vendor Engagement: Continuously monitor Linksys communications for any patch releases or advisories. Engage with vendor support channels to demand timely remediation. 6. Access Control: Restrict management interface access to trusted IP addresses and enforce strong authentication where possible. 7. Incident Response Preparedness: Prepare incident response plans specific to network device compromise, including forensic analysis and containment strategies. 8. User Awareness: Educate users about the risks of compromised network devices and encourage reporting of unusual network behavior.