Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-9244

CVE-2025-9244: Linksys RE6250 Firmware RCE Vulnerability

CVE-2025-9244 is a remote code execution vulnerability in Linksys RE6250 Firmware affecting the addStaticRoute function. Attackers can exploit this to execute OS commands remotely. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2025-9244 Overview

CVE-2025-9244 is an OS command injection vulnerability affecting multiple Linksys range extender models, including the RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000. The flaw resides in the addStaticRoute function exposed through the /goform/addStaticRoute endpoint. Authenticated attackers can manipulate the staticRoute_IP_setting, staticRoute_Netmask_setting, staticRoute_Gateway_setting, staticRoute_Metric_setting, or staticRoute_destType_setting parameters to inject arbitrary operating system commands. The exploit has been publicly disclosed. Linksys was contacted before disclosure but did not respond, leaving affected firmware versions without an official patch [CWE-77].

Critical Impact

Remote attackers with low-privilege access can execute arbitrary OS commands on affected Linksys range extenders, potentially gaining full control of the device and pivoting into the local network.

Affected Products

  • Linksys RE6250 firmware 1.0.04.001, RE6300 firmware 1.2.07.001, and RE6350 firmware 1.0.04.001
  • Linksys RE6500 firmware 1.0.013.001 and RE7000 firmware 1.1.05.003
  • Linksys RE9000 firmware 1.0.04.002

Discovery Timeline

  • 2025-08-20 - CVE-2025-9244 published to NVD
  • 2026-04-29 - Last updated in NVD database

Technical Details for CVE-2025-9244

Vulnerability Analysis

The vulnerability exists in the HTTP handler that processes static route configuration requests on affected Linksys range extenders. The addStaticRoute function reads user-supplied parameters from a POST request to /goform/addStaticRoute and incorporates them into a system command without sanitization or validation. Because the device firmware passes these values to a shell interpreter, an attacker can append shell metacharacters such as ;, |, or backticks to break out of the intended command context and execute arbitrary binaries on the device.

An attacker exploiting this issue achieves command execution in the context of the web management daemon, which on consumer-grade Linksys extenders typically runs as root. This grants full control over the embedded Linux system, including the ability to modify firmware, intercept traffic, and pivot into adjoining network segments. The issue is tracked as a command injection weakness under CWE-77.

Root Cause

The root cause is the absence of input validation and command sanitization on the five route configuration parameters. The handler concatenates attacker-controlled strings directly into a shell command, a classic anti-pattern that allows injection of arbitrary shell syntax. No allowlist of IP-formatted values or escaping of shell metacharacters is applied before invocation.

Attack Vector

The attack is network-reachable through the device's HTTP management interface. An attacker with valid low-privilege credentials, or one who reaches the management interface through default or weak credentials, sends a crafted POST request to /goform/addStaticRoute. Injecting shell metacharacters into any of the five staticRoute_*_setting parameters triggers execution of the appended commands. Public proof-of-concept material has been documented in the GitHub Vulnerability Documentation and VulDB CTI ID #320775.

The vulnerability is exploitable without user interaction. See the GitHub Vulnerability Documentation for parameter-level technical details.

Detection Methods for CVE-2025-9244

Indicators of Compromise

  • POST requests to /goform/addStaticRoute containing shell metacharacters (;, |, &, backticks, $()) within staticRoute_IP_setting, staticRoute_Netmask_setting, staticRoute_Gateway_setting, staticRoute_Metric_setting, or staticRoute_destType_setting
  • Unexpected outbound connections originating from the range extender's management IP to unknown hosts
  • New or modified iptables rules, cron entries, or processes spawned by the HTTP daemon on the device

Detection Strategies

  • Inspect HTTP logs at upstream proxies or gateways for requests to /goform/addStaticRoute where route fields contain non-IP characters
  • Monitor for static route values that do not match a strict IPv4 dotted-quad regular expression
  • Correlate management-interface logins from unexpected source IPs with subsequent administrative configuration changes

Monitoring Recommendations

  • Place the management interfaces of Linksys range extenders on a restricted VLAN with logging enabled on the gateway
  • Forward network telemetry from the segment hosting the affected devices into a centralized analytics platform for retrospective hunting
  • Alert on any outbound traffic from the range extender that is not DNS, NTP, or vendor update endpoints

How to Mitigate CVE-2025-9244

Immediate Actions Required

  • Restrict access to the device's web management interface to trusted management hosts only, blocking it at the network perimeter
  • Change default credentials on all affected RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 devices to strong, unique values
  • Disable remote administration features and any WAN-side access to the management UI
  • Consider replacing the affected end-of-support models with currently supported hardware given the vendor's non-response

Patch Information

At the time of publication, Linksys had not issued a security patch for CVE-2025-9244. The advisory notes that the vendor was contacted but did not respond. Monitor the Linksys Official Website for firmware updates addressing the affected versions 1.0.013.001, 1.0.04.001, 1.0.04.002, 1.1.05.003, and 1.2.07.001.

Workarounds

  • Segment the affected range extenders onto an isolated network that cannot reach sensitive internal systems
  • Apply ACLs on upstream switches or routers to block HTTP/HTTPS access to the extender's management interface from untrusted hosts
  • Monitor for and block POST requests to /goform/addStaticRoute at any inline web application firewall or reverse proxy in front of the device
bash
# Example: restrict management access using iptables on an upstream Linux gateway
iptables -A FORWARD -p tcp -d <extender_ip> --dport 80 -s <admin_workstation_ip> -j ACCEPT
iptables -A FORWARD -p tcp -d <extender_ip> --dport 80 -j DROP
iptables -A FORWARD -p tcp -d <extender_ip> --dport 443 -s <admin_workstation_ip> -j ACCEPT
iptables -A FORWARD -p tcp -d <extender_ip> --dport 443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne