CVE-2025-9363 is a high-severity stack-based buffer overflow vulnerability affecting multiple Linksys range extender models, including RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000, specifically in firmware versions 1.0.013.001, 1.0.04.001, 1.0.04.002, 1.1.05.003, and 1.2.07.001. The vulnerability resides in the function portTriggerManageRule within the /goform/portTriggerManageRule endpoint. It is triggered by manipulating the arguments triggerRuleName or schedule, which leads to a stack-based buffer overflow. This type of vulnerability allows an attacker to overwrite parts of the stack memory, potentially enabling arbitrary code execution or causing denial of service conditions. The vulnerability is remotely exploitable over the network without requiring user interaction or prior authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). The CVSS 4.0 score of 8.7 reflects the high impact on confidentiality, integrity, and availability, with the attack complexity being low. Although the vendor was notified early, no response or patch has been issued, and a public exploit disclosure exists, increasing the risk of exploitation. The lack of vendor response and patch availability means affected devices remain vulnerable, and attackers could leverage this flaw to gain control over the device or disrupt network operations. The vulnerability affects core network infrastructure components (range extenders) that are often deployed in home and small office environments to extend wireless coverage, making exploitation a significant risk for network security and stability.

For European organizations, this vulnerability poses a significant threat to network security, particularly for small and medium enterprises (SMEs) and home office setups that rely on Linksys range extenders for Wi-Fi coverage. Successful exploitation could allow attackers to execute arbitrary code on the device, leading to full compromise of the range extender. This could be leveraged to intercept or manipulate network traffic, launch further attacks within the internal network, or create persistent backdoors. The disruption of network availability due to device crashes or denial of service could impact business continuity. Confidentiality breaches are also a concern, as attackers could capture sensitive data passing through the compromised device. Given the widespread use of Linksys products in Europe, especially in countries with high SME density, the vulnerability could affect a broad range of organizations. The absence of patches and vendor support exacerbates the risk, as organizations may be forced to rely on mitigations rather than definitive fixes. Additionally, the vulnerability could be exploited by cybercriminal groups or state-sponsored actors targeting European entities for espionage or disruption, especially in sectors where network reliability and data confidentiality are critical.

Organizations should immediately inventory their network infrastructure to identify the presence of affected Linksys range extender models and firmware versions. Since no official patches are available, the primary mitigation is to isolate these devices from untrusted networks, including the internet, by placing them behind firewalls or network segmentation controls to restrict access to the vulnerable /goform/portTriggerManageRule endpoint. Disabling remote management features on these devices can reduce exposure. Network monitoring should be enhanced to detect unusual traffic patterns or attempts to exploit the vulnerability. Where possible, organizations should consider replacing affected devices with models from vendors that provide timely security updates. Additionally, applying strict access control lists (ACLs) to limit which internal hosts can communicate with the extenders can reduce the attack surface. Regular backups of device configurations and network settings will aid in recovery if a device is compromised. Finally, organizations should stay alert for any vendor updates or community-developed patches and apply them promptly once available.