CVE-2025-9482 is a high-severity stack-based buffer overflow vulnerability affecting multiple Linksys range extender models, including RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000, specifically in firmware versions 1.0.013.001, 1.0.04.001, 1.0.04.002, 1.1.05.003, and 1.2.07.001. The vulnerability resides in the function portRangeForwardAdd, located in the /goform/portRangeForwardAdd endpoint. This function improperly handles the input parameters ruleName, schedule, inboundFilter, TCPPorts, and UDPPorts, allowing an attacker to craft malicious requests that trigger a stack-based buffer overflow. The overflow can be exploited remotely without authentication or user interaction, as the vulnerable endpoint is accessible over the network. The CVSS 4.0 base score is 8.7 (high), reflecting the ease of exploitation (network attack vector, low complexity), no privileges or user interaction required, and the potential for complete compromise of confidentiality, integrity, and availability. The vulnerability can lead to arbitrary code execution, enabling attackers to take full control of the affected device, disrupt network operations, or pivot into internal networks. Despite early notification, Linksys has not responded or issued patches, and public exploits have been released, increasing the risk of active exploitation. This vulnerability is particularly dangerous because range extenders often have elevated network privileges and are less frequently updated, making them attractive targets for attackers aiming to establish persistent footholds or launch further attacks within enterprise or home networks.

For European organizations, this vulnerability poses significant risks. Linksys range extenders are widely used in both small and medium enterprises as well as home office environments across Europe. Exploitation could allow attackers to gain unauthorized access to internal networks by compromising these devices, bypassing perimeter defenses. This can lead to data breaches, interception of sensitive communications, lateral movement, and disruption of network availability. Critical sectors such as finance, healthcare, and government agencies that rely on secure and stable network infrastructure may face operational disruptions and data confidentiality breaches. Additionally, the lack of vendor response and available patches increases the window of exposure, potentially leading to widespread exploitation campaigns targeting European networks. The remote and unauthenticated nature of the exploit further exacerbates the threat, enabling attackers to launch attacks from anywhere, including hostile geopolitical actors targeting European entities.

Given the absence of official patches, European organizations should implement immediate compensating controls. First, isolate affected Linksys range extenders from critical network segments and restrict their management interfaces to trusted administrative networks only. Employ network segmentation to limit the potential lateral movement from compromised devices. Monitor network traffic for anomalous requests to /goform/portRangeForwardAdd and unusual port forwarding configurations indicative of exploitation attempts. Deploy intrusion detection/prevention systems (IDS/IPS) with custom signatures targeting the exploit patterns. Where possible, replace vulnerable devices with models from vendors providing timely security updates. For environments where replacement is not immediately feasible, consider disabling port forwarding features or restricting access to the vulnerable endpoint via firewall rules. Regularly audit device firmware versions and maintain an inventory of all network extenders to ensure rapid identification of vulnerable units. Finally, educate IT staff about this vulnerability and the risks of unpatched network infrastructure devices.