CVE-2025-9358 is a high-severity stack-based buffer overflow vulnerability affecting multiple Linksys range extender models, including RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000, specifically in firmware versions 1.0.013.001, 1.0.04.001, 1.0.04.002, 1.1.05.003, and 1.2.07.001. The flaw resides in the setSysAdm function within the /goform/setSysAdm endpoint, where improper handling of the 'admpasshint' argument allows an attacker to overflow the stack buffer. This vulnerability can be exploited remotely without authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L), meaning an attacker with low privileges can trigger the overflow over the network. The overflow can lead to arbitrary code execution or system crashes, severely compromising the confidentiality, integrity, and availability of the affected devices. The vendor has not responded to disclosure attempts, and although no public exploit is currently known to be in the wild, the exploit code has been released publicly, increasing the risk of exploitation. The vulnerability's high CVSS score of 8.7 reflects its critical impact and ease of exploitation. This issue is particularly dangerous because these devices often serve as network extenders, potentially providing attackers a foothold inside corporate or home networks if exploited.

For European organizations, this vulnerability poses significant risks. Linksys range extenders are commonly used in both enterprise and residential environments to improve Wi-Fi coverage. Exploitation could allow attackers to execute arbitrary code remotely, leading to device takeover, network reconnaissance, lateral movement, or disruption of network connectivity. This can result in data breaches, loss of network availability, and compromise of internal systems connected through these extenders. Given the remote exploitability without user interaction, attackers can target vulnerable devices en masse, potentially affecting critical infrastructure or business operations. The lack of vendor response and patches increases the window of exposure, making timely mitigation essential. Organizations relying on these devices for network extension should consider the risk of attackers leveraging this vulnerability to bypass perimeter defenses or establish persistent access.

Since no patches are currently available from the vendor, European organizations should implement immediate compensating controls. These include isolating affected Linksys extenders on segmented network zones with strict firewall rules limiting inbound and outbound traffic to trusted sources only. Disable remote management interfaces if enabled, or restrict access to management interfaces to trusted IP addresses via access control lists. Monitor network traffic for unusual activity originating from or targeting these devices. Consider replacing vulnerable devices with models from vendors that provide timely security updates. Additionally, implement network intrusion detection/prevention systems (IDS/IPS) tuned to detect exploitation attempts targeting the /goform/setSysAdm endpoint or anomalous buffer overflow patterns. Regularly audit device firmware versions and maintain an inventory of all network extenders to ensure rapid identification of vulnerable units. Finally, educate IT staff about this vulnerability and the importance of network segmentation and device hardening.