CVE-2025-9359 is a high-severity stack-based buffer overflow vulnerability affecting multiple versions of Linksys range extender devices, specifically models RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 running firmware versions 1.0.013.001, 1.0.04.001, 1.0.04.002, 1.1.05.003, and 1.2.07.001. The vulnerability resides in the function RP_checkCredentialsByBBS within the /goform/RP_checkCredentialsByBBS endpoint. This function processes arguments ssidhex and pwd, and improper handling of these inputs allows an attacker to cause a stack-based buffer overflow. The overflow can be triggered remotely without requiring user interaction or prior authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). The vulnerability impacts confidentiality, integrity, and availability with high impact metrics, enabling potential remote code execution or denial of service. The vendor has not responded to early disclosure attempts, and while no public exploit is confirmed in the wild, proof-of-concept code is available publicly, increasing the risk of exploitation. The vulnerability affects embedded firmware in widely deployed consumer and small business networking devices, which often have limited security controls and are frequently exposed to the internet or local networks. The lack of vendor patch availability further exacerbates the risk, leaving devices vulnerable to exploitation by attackers who can craft malicious requests to the vulnerable endpoint to execute arbitrary code or crash the device, potentially disrupting network connectivity or enabling further network compromise.

For European organizations, this vulnerability poses a significant risk, especially for small and medium enterprises (SMEs) and home office environments that rely on Linksys range extenders for network coverage. Exploitation could lead to unauthorized remote code execution, allowing attackers to gain control over the device, intercept or manipulate network traffic, or launch lateral attacks within the network. This could result in data breaches, disruption of business operations, and compromise of sensitive information. The vulnerability's remote exploitability without authentication increases the attack surface, particularly for devices exposed to the internet or poorly segmented internal networks. Given the widespread use of Linksys devices in Europe, especially in countries with high consumer and SME adoption of Linksys networking products, the threat could impact critical infrastructure sectors that depend on stable network connectivity. The absence of vendor patches means organizations must rely on alternative mitigations, increasing operational complexity and risk. Additionally, the public availability of exploit code raises the likelihood of opportunistic attacks targeting vulnerable devices across Europe.

Since no official patches are currently available from Linksys, European organizations should implement immediate compensating controls. These include isolating affected devices from direct internet exposure by placing them behind firewalls or VPNs, disabling remote management interfaces if enabled, and restricting access to the vulnerable /goform/RP_checkCredentialsByBBS endpoint via network segmentation or access control lists. Network monitoring should be enhanced to detect anomalous requests targeting this endpoint or unusual device behavior indicative of exploitation attempts. Organizations should inventory all Linksys range extenders to identify affected models and firmware versions and plan for device replacement or firmware upgrade once patches are released. Employing network intrusion detection/prevention systems (IDS/IPS) with updated signatures can help block exploit attempts. Additionally, educating users about the risks and encouraging secure network configurations will reduce exposure. For critical environments, consider deploying alternative hardware from vendors with active security support until a vendor patch is available.