CVE-2025-9393 is a high-severity stack-based buffer overflow vulnerability affecting multiple Linksys Wi-Fi range extender models, including RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000, across firmware versions 1.0.013.001, 1.0.04.001, 1.0.04.002, 1.1.05.003, and 1.2.07.001. The vulnerability resides in the addStaProfile function within the /goform/addStaProfile endpoint, which processes parameters such as profile_name, Ssid, wep_key_1 through wep_key_4, wep_key_length, wep_default_key, cipher, and passphrase. Improper handling and insufficient bounds checking of these input arguments allow an attacker to trigger a stack-based buffer overflow remotely. This can lead to arbitrary code execution or denial of service without requiring user interaction or prior authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). The vulnerability has a CVSS 4.0 base score of 8.7, reflecting its high impact on confidentiality, integrity, and availability. Although the vendor was notified early, no patch or response has been provided, and a public exploit is available, increasing the risk of exploitation. The vulnerability does not require user interaction but does require low-level privileges (PR:L), which may be achievable through other means or default configurations. The lack of vendor response and public exploit availability make this a critical concern for affected users and organizations relying on these devices for network extension and connectivity.

For European organizations, this vulnerability poses a significant risk to network security and operational continuity. Linksys range extenders are commonly used in both enterprise and home office environments to improve Wi-Fi coverage. Exploitation could allow attackers to execute arbitrary code on the device, potentially leading to network compromise, interception of sensitive data, lateral movement within internal networks, or disruption of network services. Given that these devices often bridge wireless and wired segments, a compromised extender could serve as a foothold for attackers to infiltrate corporate networks. The lack of vendor patches increases the window of exposure, and the public exploit availability heightens the likelihood of attacks. Organizations in Europe that rely on these devices for critical connectivity, especially in sectors such as finance, healthcare, and government, could face data breaches, service outages, and regulatory compliance issues under GDPR if personal data is exposed or network integrity is compromised.

Immediate mitigation steps should include isolating affected Linksys range extenders from critical network segments to limit potential lateral movement. Network administrators should monitor traffic to and from these devices for unusual activity indicative of exploitation attempts. Where possible, replace vulnerable devices with models from vendors that provide timely security updates. If replacement is not immediately feasible, restrict access to the management interfaces of these devices using network segmentation, firewall rules, and VPNs to limit exposure to trusted administrators only. Employ intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics capable of detecting exploitation attempts targeting this vulnerability. Regularly audit network devices for firmware versions and maintain an inventory to identify affected units. Additionally, consider disabling WEP and legacy encryption protocols referenced in the vulnerability parameters, as these are outdated and insecure. Organizations should also prepare incident response plans specific to network device compromise scenarios.