CVE-2025-9393 is a high-severity stack-based buffer overflow vulnerability affecting multiple Linksys range extender models, specifically RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000, across firmware versions 1.0.013.001, 1.0.04.001, 1.0.04.002, 1.1.05.003, and 1.2.07.001. The vulnerability resides in the addStaProfile function within the /goform/addStaProfile endpoint. This function processes several parameters including profile_name, Ssid, wep_key_1 through wep_key_4, wep_key_length, wep_default_key, cipher, and passphrase. Improper handling and insufficient bounds checking of these parameters allow an attacker to craft malicious input that triggers a stack-based buffer overflow. The overflow can corrupt the stack, potentially enabling remote code execution or denial of service without requiring user interaction or authentication. The vulnerability is remotely exploitable over the network, increasing its risk profile. Although the vendor was notified early, no response or patch has been issued as of the publication date. The exploit code has been publicly disclosed, increasing the likelihood of active exploitation attempts. The CVSS v4.0 score is 8.7, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and no required privileges or user interaction. This vulnerability poses a significant threat to networks using affected Linksys extenders, especially in environments where these devices are exposed to untrusted networks or the internet.

For European organizations, this vulnerability presents a critical risk to network security infrastructure. Linksys range extenders are commonly deployed in small and medium enterprises as well as home office environments to improve wireless coverage. Exploitation could allow attackers to execute arbitrary code on the device, leading to full compromise of the extender. This can facilitate lateral movement into internal networks, interception or manipulation of network traffic, and disruption of wireless connectivity. Confidential information traversing the network could be exposed or altered, impacting data integrity and privacy compliance obligations under GDPR. The lack of vendor response and absence of patches exacerbate the risk, as organizations must rely on mitigations or device replacement. Given the public availability of exploit code, opportunistic attackers and advanced persistent threat groups may target vulnerable devices, especially in sectors with high-value data or critical infrastructure. The vulnerability also threatens availability, as exploitation can cause device crashes or network outages, impacting business continuity.

European organizations should immediately inventory their network to identify any Linksys RE6250, RE6300, RE6350, RE6500, RE7000, or RE9000 devices running the affected firmware versions. As no official patches are available, organizations should consider the following specific mitigations: 1) Isolate vulnerable extenders on segmented network zones with strict access controls to limit exposure to untrusted networks. 2) Disable remote management interfaces and restrict management access to trusted internal IP addresses only. 3) Monitor network traffic for anomalous requests targeting /goform/addStaProfile or unusual parameter patterns indicative of exploitation attempts. 4) Employ intrusion detection/prevention systems with updated signatures to detect known exploit payloads. 5) Where feasible, replace vulnerable devices with updated hardware or alternative models from vendors with active security support. 6) Implement network-level firewall rules to block unsolicited inbound traffic to extender management ports. 7) Educate IT staff about this vulnerability and ensure incident response plans include steps for potential exploitation scenarios. These targeted actions go beyond generic advice by focusing on containment, detection, and device replacement strategies in the absence of vendor patches.