CVE-2025-9392 is a high-severity stack-based buffer overflow vulnerability affecting multiple Linksys range extender models, specifically the RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000, across firmware versions 1.0.013.001, 1.0.04.001, 1.0.04.002, 1.1.05.003, and 1.2.07.001. The vulnerability resides in the qosClassifier function within the /goform/qosClassifier endpoint, which processes parameters such as dir, sFromPort, sToPort, dFromPort, dToPort, protocol, layer7, dscp, and remark_dscp. Improper handling and insufficient bounds checking of these input parameters allow an attacker to craft malicious requests that trigger a stack-based buffer overflow. This overflow can lead to arbitrary code execution or denial of service conditions. The vulnerability can be exploited remotely without requiring user interaction or authentication, making it particularly dangerous. The CVSS 4.0 base score is 8.7, reflecting the ease of remote exploitation (Attack Vector: Network), low attack complexity, no privileges required, and no user interaction needed. The vulnerability impacts confidentiality, integrity, and availability with high impact, as successful exploitation could allow attackers to take control of the device or disrupt network services. The vendor, Linksys, was contacted early but has not responded or issued patches, and no official patches or mitigations have been published yet. Although no known exploits have been observed in the wild, the public disclosure of the vulnerability increases the risk of exploitation by threat actors.

For European organizations, this vulnerability poses a significant risk, especially for enterprises and service providers relying on Linksys range extenders to enhance wireless network coverage. Exploitation could lead to full compromise of the affected devices, enabling attackers to intercept or manipulate network traffic, pivot into internal networks, or cause network outages. This is particularly critical for organizations with remote or branch offices using these devices, as attackers can exploit the vulnerability remotely over the internet or internal networks. The lack of vendor response and patches increases exposure time, raising the likelihood of exploitation. Critical infrastructure sectors, financial institutions, healthcare providers, and government agencies in Europe that depend on secure and reliable network connectivity could face data breaches, operational disruptions, and reputational damage. Additionally, compromised devices could be leveraged as footholds for broader attacks or as part of botnets targeting European networks.

Given the absence of official patches, European organizations should immediately conduct comprehensive inventories to identify the presence of affected Linksys range extender models and firmware versions. Network segmentation should be enforced to isolate these devices from sensitive internal networks and critical assets. Access to the management interfaces, especially the /goform/qosClassifier endpoint, should be restricted using firewall rules or network access control lists to limit exposure to trusted administrators only. Intrusion detection and prevention systems (IDS/IPS) should be configured to monitor and block suspicious traffic patterns targeting the vulnerable parameters. Organizations should consider disabling QoS features or the vulnerable service endpoints if feasible. Where possible, replace affected devices with alternative models or vendors that have issued security updates. Continuous monitoring for unusual device behavior or network anomalies is essential. Finally, organizations should maintain close watch on vendor communications for any forthcoming patches and apply them promptly once available.