CVE-2025-9575 is a medium-severity OS command injection vulnerability affecting multiple Linksys range extender models, including RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000, specifically in firmware versions 1.0.013.001, 1.0.04.001, 1.0.04.002, 1.1.05.003, and 1.2.07.001. The vulnerability resides in the cgiMain function of the /cgi-bin/upload.cgi script, where improper sanitization of the 'filename' argument allows an attacker to inject arbitrary OS commands. This flaw can be exploited remotely without user interaction or authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). The vulnerability impacts confidentiality, integrity, and availability to a limited extent (VC:L, VI:L, VA:L), reflecting partial but significant control over the device. Although the vendor was notified early, no response or patch has been issued, and no known exploits are currently observed in the wild. The vulnerability's exploitation could allow attackers to execute arbitrary commands on affected devices, potentially leading to device compromise, network pivoting, or disruption of network services. Given the nature of the devices as network extenders, successful exploitation could undermine network security and availability for connected users.

For European organizations, this vulnerability poses a tangible risk to network infrastructure security. Linksys range extenders are commonly used in small to medium enterprises and home office environments to extend Wi-Fi coverage. Exploitation could allow attackers to gain control over these devices, enabling interception or manipulation of network traffic, launching further attacks within the internal network, or causing denial of service by disrupting network connectivity. This is particularly concerning for organizations relying on these devices for critical connectivity or those with less mature network segmentation. The lack of vendor response and patches increases the window of exposure. Additionally, compromised devices could be used as footholds for lateral movement or as part of botnets, amplifying the threat landscape. The medium CVSS score reflects that while the attack requires some privileges (PR:L), it does not require user interaction or complex conditions, making it a realistic threat if attackers gain limited access or exploit other vulnerabilities to escalate privileges.

Given the absence of official patches, European organizations should implement immediate compensating controls. First, restrict remote access to the management interfaces of affected Linksys devices by limiting access to trusted IP ranges or disabling remote management entirely if not required. Network segmentation should isolate these extenders from sensitive internal networks to contain potential compromise. Monitoring network traffic for unusual patterns or command injection attempts targeting /cgi-bin/upload.cgi can aid early detection. Organizations should consider replacing vulnerable devices with updated models or alternative vendors that provide timely security updates. If firmware updates become available, prioritize their deployment. Additionally, enforce strong administrative credentials and regularly audit device configurations. Employ network intrusion detection systems (NIDS) with signatures for command injection attempts targeting Linksys devices. Finally, maintain an inventory of all affected devices to ensure comprehensive coverage of mitigation efforts.