CVE-2025-9359 is a high-severity stack-based buffer overflow vulnerability affecting multiple versions of Linksys range extender models RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000. The vulnerable versions include firmware releases 1.0.013.001, 1.0.04.001, 1.0.04.002, 1.1.05.003, and 1.2.07.001. The flaw resides in the function RP_checkCredentialsByBBS within the /goform/RP_checkCredentialsByBBS endpoint, which processes the ssidhex and pwd parameters. Improper handling of these inputs allows an attacker to overflow the stack buffer, potentially overwriting critical memory regions. This vulnerability can be exploited remotely without user interaction or prior authentication, as the affected function is accessible via network requests. The CVSS 4.0 base score is 8.7, reflecting a high severity due to the network attack vector, low attack complexity, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability. Although no patches have been released and the vendor has not responded to disclosure attempts, a public exploit is available, increasing the risk of exploitation. The vulnerability could allow attackers to execute arbitrary code, cause denial of service, or gain unauthorized access to the device, potentially enabling lateral movement within networks or interception of traffic passing through the range extenders.

For European organizations, this vulnerability poses significant risks, especially for enterprises and service providers relying on Linksys range extenders to improve wireless coverage. Successful exploitation could lead to compromise of network infrastructure components, enabling attackers to intercept sensitive communications, disrupt network availability, or pivot to internal systems. Given that these devices often operate at network edges or in less physically secure locations, attackers could exploit this remotely without physical access. This is particularly concerning for sectors with stringent data protection requirements such as finance, healthcare, and government agencies in Europe. The lack of vendor response and patches exacerbates the threat, increasing the window of exposure. Additionally, the availability of a public exploit lowers the barrier for threat actors, including cybercriminals and state-sponsored groups, to weaponize this vulnerability against European targets.

Organizations should immediately inventory their network infrastructure to identify any affected Linksys range extender models and firmware versions. Until official patches are available, it is critical to isolate these devices from untrusted networks by restricting management interfaces to trusted internal IP ranges and implementing strict firewall rules to block access to the /goform/RP_checkCredentialsByBBS endpoint. Network segmentation should be enhanced to limit the impact of a compromised device. Monitoring network traffic for unusual requests targeting the vulnerable endpoint can help detect exploitation attempts. Where possible, replace vulnerable devices with updated hardware or alternative products from vendors with active security support. Additionally, organizations should implement network intrusion detection/prevention systems (IDS/IPS) with signatures for this exploit once available. Regularly reviewing vendor communications for updates and applying patches promptly when released is essential to long-term mitigation.