CVE-2025-9575 is a security vulnerability identified in several Linksys range extender models, including RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000, specifically affecting firmware versions 1.0.013.001, 1.0.04.001, 1.0.04.002, 1.1.05.003, and 1.2.07.001. The vulnerability resides in the cgiMain function of the /cgi-bin/upload.cgi script, which processes file upload requests. By manipulating the 'filename' argument in this CGI script, an attacker can perform OS command injection, allowing arbitrary command execution on the underlying operating system. This vulnerability is remotely exploitable without requiring user interaction or authentication, which significantly increases its risk profile. The CVSS v4.0 base score is 5.3 (medium severity), reflecting the ease of network exploitation (AV:N), low attack complexity (AC:L), no privileges required (PR:L), and no user interaction (UI:N). The impact on confidentiality, integrity, and availability is limited but present (VC:L, VI:L, VA:L), indicating partial compromise potential. The vendor was notified but has not responded or issued patches, and no known exploits have been observed in the wild yet. Given the public disclosure and the nature of the vulnerability, attackers could develop exploits to gain unauthorized control over affected devices, potentially using them as pivot points within networks or for launching further attacks.

For European organizations, this vulnerability presents a tangible risk, especially for those relying on Linksys range extenders in their network infrastructure. Successful exploitation could allow attackers to execute arbitrary commands on these devices, potentially leading to unauthorized access to internal networks, interception or manipulation of network traffic, and disruption of network availability. This is particularly concerning for small and medium enterprises (SMEs) and home office environments where such devices are common and may lack rigorous security monitoring. Compromise of these devices could facilitate lateral movement within corporate networks or be leveraged in botnet activities. The lack of vendor response and patches increases the window of exposure. Additionally, organizations in sectors with stringent data protection requirements (e.g., finance, healthcare) could face compliance risks if such devices are compromised and lead to data breaches.

Organizations should immediately inventory their network to identify the presence of affected Linksys range extender models and firmware versions. Until official patches are available, it is recommended to disable remote management interfaces on these devices to prevent external exploitation. Network segmentation should be enforced to isolate these devices from critical infrastructure and sensitive data environments. Employing strict firewall rules to restrict access to the device management interfaces to trusted internal IP addresses can reduce exposure. Monitoring network traffic for unusual activity originating from these devices can help detect exploitation attempts. Where possible, consider replacing vulnerable devices with models from vendors that provide timely security updates. Additionally, organizations should engage with Linksys support channels to seek updates or mitigation guidance and stay informed about any forthcoming patches or advisories.