CVE-2025-9358 Overview
CVE-2025-9358 is a stack-based buffer overflow vulnerability affecting multiple Linksys range extenders, including the RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 models. The flaw resides in the setSysAdm function within the /goform/setSysAdm endpoint, where the admpasshint parameter is not properly bounds-checked before being copied to a fixed-size stack buffer. Attackers with low-privilege access can trigger the overflow remotely across the network. The vendor was contacted about this disclosure but did not respond, and a public exploit has been released.
Critical Impact
Remote attackers can corrupt stack memory on affected Linksys range extenders, potentially leading to arbitrary code execution or device compromise via the admpasshint parameter.
Affected Products
- Linksys RE6250 firmware 1.0.04.001, RE6300 firmware 1.2.07.001, and RE6350 firmware 1.0.04.001
- Linksys RE6500 firmware 1.0.013.001 and RE7000 firmware 1.1.05.003
- Linksys RE9000 firmware 1.0.04.002
Discovery Timeline
- 2025-08-23 - CVE-2025-9358 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-9358
Vulnerability Analysis
The vulnerability exists in the setSysAdm handler exposed through the /goform/setSysAdm HTTP endpoint on affected Linksys range extenders. This handler processes administrative settings submitted from the device web interface. When it reads the admpasshint argument from the incoming request, it copies the attacker-controlled string into a fixed-size stack buffer without validating the input length.
Submitting a long admpasshint value overflows the buffer and overwrites adjacent stack memory. This corrupts saved return addresses and local variables in the handler's stack frame. Successful exploitation can redirect execution flow on the embedded MIPS or ARM firmware, resulting in device compromise. The issue is classified as [CWE-119] — improper restriction of operations within the bounds of a memory buffer.
Root Cause
The root cause is missing input length validation in the setSysAdm function. The firmware trusts the caller-supplied admpasshint field and uses an unsafe string copy operation into a stack-allocated buffer. Because the destination size is fixed and no bounds check is performed, oversized input corrupts the surrounding stack frame.
Attack Vector
Attackers reach the vulnerable endpoint over the network with low-privileged authenticated access to the device management interface. An attacker sends a crafted HTTP POST request to /goform/setSysAdm containing an oversized admpasshint parameter. The exploit has been publicly documented, lowering the barrier to weaponization. See the GitHub Vulnerability Documentation and VulDB #321061 for technical details.
Detection Methods for CVE-2025-9358
Indicators of Compromise
- HTTP POST requests to the /goform/setSysAdm endpoint containing unusually long admpasshint parameter values.
- Unexpected reboots, httpd process crashes, or watchdog resets on Linksys RE-series devices.
- Administrative sessions originating from unfamiliar source IP addresses on the LAN or WAN management interface.
Detection Strategies
- Inspect web server and access logs on the device or upstream proxies for POST requests to /goform/setSysAdm with payload sizes exceeding normal form submissions.
- Deploy network intrusion detection signatures that flag oversized admpasshint parameters or malformed body content targeting the setSysAdm handler.
- Correlate device management traffic with authentication events to identify anomalous administrative activity against range extenders.
Monitoring Recommendations
- Alert on any exposure of the RE-series management interface to the internet or untrusted VLANs.
- Monitor for firmware version strings matching the vulnerable builds (1.0.013.001, 1.0.04.001, 1.0.04.002, 1.1.05.003, 1.2.07.001) in asset inventories.
- Track outbound connections from range extenders to unexpected destinations, which may indicate post-exploitation command-and-control.
How to Mitigate CVE-2025-9358
Immediate Actions Required
- Restrict access to the range extender's management interface to trusted management VLANs and block WAN-side administration.
- Rotate administrative credentials on affected devices and disable remote management if not required.
- Isolate vulnerable RE-series devices from sensitive network segments until they can be replaced or patched.
Patch Information
At the time of disclosure, no vendor patch is available. According to the advisory, Linksys was contacted but did not respond. Organizations should monitor the Linksys Official Website for future firmware updates addressing CVE-2025-9358. Given the end-of-life status of several affected models, replacement with a supported device may be the only long-term remediation path.
Workarounds
- Disable the web-based administration interface where the device supports alternative provisioning, or restrict it to a single trusted host via firewall rules.
- Place the range extender behind a network segment that filters HTTP requests to /goform/setSysAdm from unauthorized sources.
- Replace end-of-life RE-series hardware with a currently supported model that receives security updates.
# Example: block external access to the management interface using an upstream firewall (iptables)
iptables -A FORWARD -p tcp -d <range_extender_ip> --dport 80 -m iprange ! --src-range 10.0.0.10-10.0.0.20 -j DROP
iptables -A FORWARD -p tcp -d <range_extender_ip> --dport 443 -m iprange ! --src-range 10.0.0.10-10.0.0.20 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

