CVE-2025-9360 is a high-severity stack-based buffer overflow vulnerability affecting multiple Linksys range extender models, specifically the RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000. The affected firmware versions include 1.0.013.001, 1.0.04.001, 1.0.04.002, 1.1.05.003, and 1.2.07.001. The vulnerability resides in the function accessControlAdd within the /goform/accessControlAdd endpoint. This function improperly handles the input parameters ruleName and schedule, allowing an attacker to craft malicious requests that overflow the stack buffer. This overflow can lead to arbitrary code execution or denial of service. The attack vector is remote and does not require user interaction or prior authentication, making exploitation feasible over the network. The vulnerability has been publicly disclosed, and although no known exploits are currently observed in the wild, the public disclosure increases the risk of exploitation. The vendor, Linksys, has not responded to early disclosure attempts, and no patches or mitigations have been officially released at this time. The CVSS v4.0 base score is 8.7, reflecting the high impact on confidentiality, integrity, and availability, combined with the ease of remote exploitation without authentication.

For European organizations, this vulnerability poses a significant risk, especially for enterprises and service providers relying on Linksys range extenders to expand wireless network coverage. Successful exploitation could allow attackers to execute arbitrary code remotely, potentially leading to full device compromise. This could result in network disruption, interception or manipulation of network traffic, lateral movement within corporate networks, and potential data breaches. The lack of vendor response and absence of patches exacerbate the risk, leaving affected devices exposed. Critical infrastructure, government agencies, and businesses with sensitive data could face operational downtime and reputational damage. Additionally, the vulnerability could be leveraged as a foothold for broader attacks targeting European networks, especially in environments where these devices are deployed without strict network segmentation or monitoring.

Given the absence of official patches, European organizations should implement immediate compensating controls. These include isolating affected Linksys devices on segmented VLANs with strict access controls to limit exposure. Network-level firewall rules should restrict inbound traffic to the management interfaces of these devices, ideally allowing access only from trusted administrative hosts. Monitoring network traffic for anomalous requests to the /goform/accessControlAdd endpoint can help detect exploitation attempts. Organizations should consider replacing vulnerable devices with models from vendors providing timely security updates. If replacement is not immediately feasible, disabling remote management features and restricting device configuration access to internal networks can reduce risk. Regularly auditing firmware versions and maintaining an inventory of affected devices will aid in prioritizing remediation efforts once patches become available.