CVE-2025-9358: Stack-based Buffer Overflow in Linksys RE6250
A security flaw has been discovered in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. This vulnerability affects the function setSysAdm of the file /goform/setSysAdm. The manipulation of the argument admpasshint results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
AI Analysis
Technical Summary
CVE-2025-9358 is a high-severity stack-based buffer overflow vulnerability affecting multiple Linksys range extender models, including RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000, specifically in firmware versions 1.0.013.001, 1.0.04.001, 1.0.04.002, 1.1.05.003, and 1.2.07.001. The flaw resides in the setSysAdm function within the /goform/setSysAdm endpoint, where improper handling of the 'admpasshint' argument allows an attacker to overflow the stack buffer. This vulnerability can be exploited remotely without authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L), meaning an attacker with low privileges can trigger the overflow over the network. The overflow can lead to arbitrary code execution or system crashes, severely compromising the confidentiality, integrity, and availability of the affected devices. The vendor has not responded to disclosure attempts, and although no public exploit is currently known to be in the wild, the exploit code has been released publicly, increasing the risk of exploitation. The vulnerability's high CVSS score of 8.7 reflects its critical impact and ease of exploitation. This issue is particularly dangerous because these devices often serve as network extenders, potentially providing attackers a foothold inside corporate or home networks if exploited.
Potential Impact
For European organizations, this vulnerability poses significant risks. Linksys range extenders are commonly used in both enterprise and residential environments to improve Wi-Fi coverage. Exploitation could allow attackers to execute arbitrary code remotely, leading to device takeover, network reconnaissance, lateral movement, or disruption of network connectivity. This can result in data breaches, loss of network availability, and compromise of internal systems connected through these extenders. Given the remote exploitability without user interaction, attackers can target vulnerable devices en masse, potentially affecting critical infrastructure or business operations. The lack of vendor response and patches increases the window of exposure, making timely mitigation essential. Organizations relying on these devices for network extension should consider the risk of attackers leveraging this vulnerability to bypass perimeter defenses or establish persistent access.
Mitigation Recommendations
Since no patches are currently available from the vendor, European organizations should implement immediate compensating controls. These include isolating affected Linksys extenders on segmented network zones with strict firewall rules limiting inbound and outbound traffic to trusted sources only. Disable remote management interfaces if enabled, or restrict access to management interfaces to trusted IP addresses via access control lists. Monitor network traffic for unusual activity originating from or targeting these devices. Consider replacing vulnerable devices with models from vendors that provide timely security updates. Additionally, implement network intrusion detection/prevention systems (IDS/IPS) tuned to detect exploitation attempts targeting the /goform/setSysAdm endpoint or anomalous buffer overflow patterns. Regularly audit device firmware versions and maintain an inventory of all network extenders to ensure rapid identification of vulnerable units. Finally, educate IT staff about this vulnerability and the importance of network segmentation and device hardening.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Belgium, Poland, Sweden, Switzerland
CVE-2025-9358: Stack-based Buffer Overflow in Linksys RE6250
Description
A security flaw has been discovered in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. This vulnerability affects the function setSysAdm of the file /goform/setSysAdm. The manipulation of the argument admpasshint results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
AI-Powered Analysis
Technical Analysis
CVE-2025-9358 is a high-severity stack-based buffer overflow vulnerability affecting multiple Linksys range extender models, including RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000, specifically in firmware versions 1.0.013.001, 1.0.04.001, 1.0.04.002, 1.1.05.003, and 1.2.07.001. The flaw resides in the setSysAdm function within the /goform/setSysAdm endpoint, where improper handling of the 'admpasshint' argument allows an attacker to overflow the stack buffer. This vulnerability can be exploited remotely without authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L), meaning an attacker with low privileges can trigger the overflow over the network. The overflow can lead to arbitrary code execution or system crashes, severely compromising the confidentiality, integrity, and availability of the affected devices. The vendor has not responded to disclosure attempts, and although no public exploit is currently known to be in the wild, the exploit code has been released publicly, increasing the risk of exploitation. The vulnerability's high CVSS score of 8.7 reflects its critical impact and ease of exploitation. This issue is particularly dangerous because these devices often serve as network extenders, potentially providing attackers a foothold inside corporate or home networks if exploited.
Potential Impact
For European organizations, this vulnerability poses significant risks. Linksys range extenders are commonly used in both enterprise and residential environments to improve Wi-Fi coverage. Exploitation could allow attackers to execute arbitrary code remotely, leading to device takeover, network reconnaissance, lateral movement, or disruption of network connectivity. This can result in data breaches, loss of network availability, and compromise of internal systems connected through these extenders. Given the remote exploitability without user interaction, attackers can target vulnerable devices en masse, potentially affecting critical infrastructure or business operations. The lack of vendor response and patches increases the window of exposure, making timely mitigation essential. Organizations relying on these devices for network extension should consider the risk of attackers leveraging this vulnerability to bypass perimeter defenses or establish persistent access.
Mitigation Recommendations
Since no patches are currently available from the vendor, European organizations should implement immediate compensating controls. These include isolating affected Linksys extenders on segmented network zones with strict firewall rules limiting inbound and outbound traffic to trusted sources only. Disable remote management interfaces if enabled, or restrict access to management interfaces to trusted IP addresses via access control lists. Monitor network traffic for unusual activity originating from or targeting these devices. Consider replacing vulnerable devices with models from vendors that provide timely security updates. Additionally, implement network intrusion detection/prevention systems (IDS/IPS) tuned to detect exploitation attempts targeting the /goform/setSysAdm endpoint or anomalous buffer overflow patterns. Regularly audit device firmware versions and maintain an inventory of all network extenders to ensure rapid identification of vulnerable units. Finally, educate IT staff about this vulnerability and the importance of network segmentation and device hardening.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- VulDB
- Date Reserved
- 2025-08-22T15:40:18.364Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 68a97223ad5a09ad0027ff1c
Added to database: 8/23/2025, 7:47:47 AM
Last enriched: 8/31/2025, 1:06:56 AM
Last updated: 1/7/2026, 6:08:00 AM
Views: 136
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-14835: CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in opajaap WP Photo Album Plus
HighCVE-2026-0650: CWE-306 Missing Authentication for Critical Function in OpenFlagr Flagr
CriticalCVE-2025-15474: CWE-770 Allocation of Resources Without Limits or Throttling in AuntyFey AuntyFey Smart Combination Lock
MediumCVE-2025-14468: CWE-352 Cross-Site Request Forgery (CSRF) in mohammed_kaludi AMP for WP – Accelerated Mobile Pages
MediumCVE-2025-9611: CWE-749 Exposed Dangerous Method or Function in Microsoft Playwright
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.