CVE-2025-9361 is a high-severity stack-based buffer overflow vulnerability affecting multiple Linksys range extender models, including RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000, specifically in firmware versions 1.0.013.001, 1.0.04.001, 1.0.04.002, 1.1.05.003, and 1.2.07.001. The vulnerability resides in the function ipRangeBlockManageRule within the /goform/ipRangeBlockManageRule endpoint. It is triggered by manipulating the input parameters ipRangeBlockRuleName, scheduleIp, or ipRangeBlockRuleIpAddr, which leads to a stack-based buffer overflow. This type of overflow can allow an attacker to overwrite the stack memory, potentially enabling arbitrary code execution or causing a denial of service. The vulnerability can be exploited remotely without user interaction or prior authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L), though it requires low privileges (PR:L). The vendor, Linksys, was contacted early but has not responded or issued a patch, and a public exploit is available, increasing the risk of exploitation. The CVSS 4.0 score of 8.7 reflects the high impact on confidentiality, integrity, and availability, with an exploitability rating of low complexity and no user interaction needed. The absence of vendor patches and public exploit availability make this vulnerability particularly dangerous for affected devices in production environments.

For European organizations, this vulnerability poses a significant risk, especially for those using Linksys range extenders in their network infrastructure. Exploitation could lead to unauthorized remote code execution, allowing attackers to gain control over the device, intercept or manipulate network traffic, or disrupt network availability. This is critical for enterprises relying on these devices for extending wireless coverage in offices, warehouses, or remote sites. Compromise could facilitate lateral movement into internal networks, data exfiltration, or service disruption. The lack of vendor response and patches exacerbates the threat, increasing the likelihood of exploitation by cybercriminals or state-sponsored actors targeting European entities. Additionally, critical infrastructure or government networks using these devices may face heightened risks due to potential espionage or sabotage. The vulnerability's remote exploitability without user interaction means that attackers can target devices en masse, increasing the scale and speed of potential attacks across Europe.

Given the absence of official patches, European organizations should immediately implement compensating controls. These include isolating affected Linksys devices on segmented network zones with strict firewall rules limiting inbound and outbound traffic to trusted sources only. Disable remote management interfaces if not strictly necessary, or restrict access via VPN or IP whitelisting. Monitor network traffic for unusual activity targeting the /goform/ipRangeBlockManageRule endpoint or anomalous requests containing suspicious payloads. Employ intrusion detection/prevention systems (IDS/IPS) with custom signatures to detect exploitation attempts. Where possible, replace vulnerable Linksys range extenders with devices from vendors providing timely security updates. Regularly audit network devices for firmware versions and maintain an asset inventory to identify and prioritize vulnerable devices. Engage with Linksys support channels persistently for updates and consider notifying national cybersecurity authorities to raise awareness. Finally, educate IT staff on this specific threat to ensure rapid incident response if exploitation is detected.