CVE-2025-9363 is a high-severity stack-based buffer overflow vulnerability affecting multiple Linksys range extender models, including RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000, across several firmware versions (1.0.013.001, 1.0.04.001, 1.0.04.002, 1.1.05.003, and 1.2.07.001). The vulnerability resides in the function portTriggerManageRule within the /goform/portTriggerManageRule endpoint. Specifically, improper handling and manipulation of the triggerRuleName or schedule parameters allow an attacker to overflow the stack buffer. This overflow can lead to arbitrary code execution or denial of service conditions. The vulnerability is remotely exploitable over the network without requiring user interaction or prior authentication, significantly increasing its risk profile. The CVSS 4.0 base score is 8.7, reflecting its high impact on confidentiality, integrity, and availability, with low attack complexity and no privileges or user interaction needed. Despite early vendor notification, Linksys has not responded or issued patches, and while no known exploits are currently observed in the wild, public disclosure of the exploit code increases the likelihood of future attacks. This vulnerability poses a critical risk to network security, as compromised range extenders can serve as footholds for lateral movement or network disruption.

For European organizations, this vulnerability presents a significant threat to network infrastructure security. Linksys range extenders are commonly used in both enterprise and home office environments to improve wireless coverage. Exploitation could allow attackers to execute arbitrary code remotely, potentially leading to full device compromise. This could result in interception or manipulation of network traffic, disruption of wireless connectivity, or use of the compromised device as a pivot point for further attacks within corporate networks. Confidentiality of sensitive data traversing the network could be jeopardized, and integrity of network operations undermined. The lack of vendor response and patches exacerbates the risk, as organizations cannot rely on official fixes and must implement alternative mitigations. Given the remote, unauthenticated nature of the exploit, attackers could target vulnerable devices en masse, increasing the risk of widespread disruption or espionage, especially in sectors reliant on stable and secure wireless infrastructure.

Organizations should immediately inventory and identify any Linksys range extenders affected by this vulnerability. Since no official patches are available, mitigation should focus on network-level controls: isolate vulnerable devices on segmented VLANs with strict firewall rules limiting inbound access to management interfaces, especially blocking access to the /goform/portTriggerManageRule endpoint. Disable remote management features if enabled. Employ network intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics to detect exploitation attempts targeting this vulnerability. Regularly monitor device logs for suspicious activity. Consider replacing vulnerable devices with updated hardware from vendors with active security support. For environments where replacement is not feasible, implement strict network access controls and continuous monitoring to reduce exposure. Additionally, educate IT staff about the vulnerability and the importance of rapid incident response in case of exploitation attempts.