CVE-2025-9358 is a critical security vulnerability identified in multiple versions of Linksys range extender devices, specifically models RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 running firmware versions 1.0.013.001, 1.0.04.001, 1.0.04.002, 1.1.05.003, and 1.2.07.001. The flaw exists in the setSysAdm function within the /goform/setSysAdm endpoint, where improper handling of the 'admpasshint' argument leads to a stack-based buffer overflow. This vulnerability allows an attacker to remotely execute arbitrary code or cause denial of service conditions without requiring user interaction or prior authentication, as the attack vector is network accessible (AV:N) and has low attack complexity (AC:L). The CVSS 4.0 base score of 8.7 reflects the high impact on confidentiality, integrity, and availability, with high exploitability. The vendor Linksys has not responded to disclosure attempts, and although no public exploit is currently known in the wild, the exploit code has been released publicly, increasing the risk of imminent exploitation. The vulnerability affects the core administrative functionality of the device, potentially allowing attackers to gain control over the device, manipulate network traffic, or pivot into internal networks. Given the widespread use of these Linksys extenders in both consumer and small business environments, this vulnerability poses a significant threat to network security and stability.

For European organizations, the exploitation of CVE-2025-9358 could lead to severe consequences. Compromised Linksys extenders could serve as entry points for attackers to infiltrate corporate or home networks, leading to data breaches, interception of sensitive communications, or lateral movement to more critical infrastructure. The loss of device integrity and availability could disrupt network connectivity, impacting business operations, especially for SMEs relying on these devices for network extension. Confidentiality breaches could expose personal data protected under GDPR, resulting in regulatory penalties and reputational damage. The remote and unauthenticated nature of the exploit increases the risk of widespread attacks, particularly in environments where these devices are deployed without stringent network segmentation or monitoring. Additionally, the lack of vendor response and patches exacerbates the risk, forcing organizations to rely on mitigation strategies until official fixes are available.

Organizations should immediately inventory their network for the presence of affected Linksys extender models and firmware versions. Where possible, isolate these devices from critical network segments and restrict management interface access to trusted IP addresses via firewall rules. Disable remote administration features if not essential. Employ network intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics capable of detecting exploitation attempts targeting /goform/setSysAdm endpoints. Monitor network traffic for unusual patterns or spikes in traffic to these devices. Consider replacing vulnerable devices with models from vendors providing timely security updates. Until patches are released, implement strict network segmentation to limit the potential impact of a compromised extender. Regularly update device firmware when vendors release patches and subscribe to vendor security advisories. Additionally, educate users about the risks of using outdated network hardware and encourage prompt remediation.