CVE-2025-6752 Overview
CVE-2025-6752 is a stack-based buffer overflow in the Universal Plug and Play (UPnP) Internet Gateway Device (IGD) implementation of several Linksys routers. The flaw resides in the SetDefaultConnectionService function reachable through /upnp/control/Layer3Forwarding. An attacker who can reach the UPnP service can manipulate the NewDefaultConnectionService argument to overflow a stack buffer. The vulnerability affects Linksys WRT1900ACS, EA7200, EA7450, and EA7500 firmware up to build 20250619. The vendor was contacted prior to disclosure but did not respond, and a proof-of-concept has been published.
Critical Impact
Remote attackers with network access to the UPnP service can corrupt stack memory in the IGD handler, enabling potential arbitrary code execution on the router and full compromise of the device.
Affected Products
- Linksys WRT1900ACS (firmware up to 20250619)
- Linksys EA7200, EA7450, and EA7500 (firmware up to 20250619)
- UPnP IGD Layer3Forwarding service component
Discovery Timeline
- 2025-06-27 - CVE-2025-6752 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-6752
Vulnerability Analysis
The vulnerability is a stack-based buffer overflow classified under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer). The flaw exists in the UPnP IGD service that Linksys routers expose to handle gateway control actions defined by the Layer3Forwarding:1 service specification. The SetDefaultConnectionService action accepts a NewDefaultConnectionService string argument, which the firmware copies into a fixed-size stack buffer without enforcing length limits. Writing past the buffer corrupts adjacent stack memory, including saved return addresses. An attacker who controls the overflow can redirect execution flow on the embedded MIPS or ARM processor used by the affected models.
Root Cause
The root cause is the absence of bounds checking on the NewDefaultConnectionService SOAP argument before it is written into a local stack buffer inside the UPnP daemon. The handler trusts client-supplied length and content, which is the classic precondition for stack smashing.
Attack Vector
Exploitation requires network reachability to the router's UPnP control endpoint at /upnp/control/Layer3Forwarding. UPnP is typically exposed on the LAN, but misconfigurations, exposed WAN UPnP, or compromised internal hosts can put it within reach. The attacker sends a crafted SOAP POST request invoking SetDefaultConnectionService with an oversized NewDefaultConnectionService value. According to the published proof-of-concept referenced in the GitHub PoC Repository and VulDB #314050, the overflow is triggerable without authentication beyond what the LAN-side UPnP service requires.
No verified exploit code is reproduced here. Technical details and the proof-of-concept are available in the VulDB submission #600638 and the referenced PoC repository.
Detection Methods for CVE-2025-6752
Indicators of Compromise
- HTTP POST requests to /upnp/control/Layer3Forwarding containing unusually long NewDefaultConnectionService values inside the SOAP body.
- Router crashes, UPnP daemon restarts, or unexpected reboots correlated with inbound UPnP traffic.
- New outbound connections initiated by the router itself after suspicious UPnP activity, which can indicate post-exploitation implants.
Detection Strategies
- Inspect network traffic to TCP ports used by the UPnP control service (commonly 1900, 49152, or 5000) for SOAP requests invoking SetDefaultConnectionService.
- Flag SOAP arguments where NewDefaultConnectionService exceeds expected URI lengths (for example, more than 256 bytes).
- Correlate router syslog events showing segmentation faults or watchdog-initiated reboots with prior UPnP control requests.
Monitoring Recommendations
- Forward router logs and UPnP daemon events into a centralized logging or SIEM platform for retention and alerting.
- Monitor for unauthorized changes to the router's NAT, port-forwarding, and default gateway service configuration.
- Alert on any external (WAN-side) traffic reaching UPnP listening ports, which should never be reachable from the internet.
How to Mitigate CVE-2025-6752
Immediate Actions Required
- Restrict access to the router's UPnP service to trusted management hosts only, and confirm UPnP is not exposed on the WAN interface.
- Disable UPnP IGD on affected Linksys WRT1900ACS, EA7200, EA7450, and EA7500 devices if not strictly required by applications on the LAN.
- Segment IoT and untrusted client networks away from the router's management plane to limit who can reach /upnp/control/Layer3Forwarding.
- Reboot and reconfigure routers showing unexplained instability, and treat persistent compromise as possible given the lack of vendor response.
Patch Information
No vendor patch is currently referenced in NVD. According to the disclosure record, Linksys did not respond to the researcher prior to publication. Affected administrators should monitor the Linksys Official Website for firmware updates beyond build 20250619 and apply them as soon as they are released.
Workarounds
- Disable UPnP entirely in the router's administration interface until a fixed firmware is available.
- Block external access to UPnP control ports at any upstream firewall or ISP-provided gateway.
- Replace end-of-life models such as the WRT1900ACS and EA7200 with currently supported hardware if firmware updates are not forthcoming.
- Place vulnerable routers behind a separate filtering device that can drop SOAP requests targeting /upnp/control/Layer3Forwarding from untrusted sources.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
