CVE-2025-9359 Overview
CVE-2025-9359 is a stack-based buffer overflow vulnerability affecting multiple Linksys range extender devices, including the RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000. The flaw resides in the RP_checkCredentialsByBBS function within the /goform/RP_checkCredentialsByBBS endpoint. Attackers manipulate the ssidhex or pwd arguments to trigger memory corruption on the device stack. The issue is remotely exploitable across the network. Public exploitation details have been disclosed, and the vendor did not respond to disclosure attempts.
Critical Impact
Remote attackers with low privileges can trigger a stack-based buffer overflow on affected Linksys range extenders, potentially leading to arbitrary code execution or device compromise.
Affected Products
- Linksys RE6250 firmware 1.0.04.001
- Linksys RE6300 firmware 1.2.07.001 and RE6350 firmware 1.0.04.001
- Linksys RE6500 firmware 1.0.013.001, RE7000 firmware 1.1.05.003, and RE9000 firmware 1.0.04.002
Discovery Timeline
- 2025-08-23 - CVE-2025-9359 published to the National Vulnerability Database (NVD)
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-9359
Vulnerability Analysis
The vulnerability exists in the RP_checkCredentialsByBBS function exposed through the /goform/RP_checkCredentialsByBBS HTTP endpoint on the affected Linksys range extender web management interface. The function processes credential-related parameters submitted by clients during the access-point credential validation workflow.
The ssidhex and pwd parameters lack proper bounds checking before being copied into fixed-size stack buffers. Submitting oversized values for either parameter overwrites adjacent stack memory, including saved return addresses and frame pointers. This memory corruption pattern aligns with [CWE-119]: Improper Restriction of Operations within the Bounds of a Memory Buffer.
Successful exploitation allows attackers to influence control flow on the device. On embedded MIPS or ARM targets typical of these range extenders, attackers can chain return-oriented programming gadgets to achieve arbitrary code execution as the web server process, which commonly runs with root privileges.
Root Cause
The root cause is the absence of input length validation in RP_checkCredentialsByBBS. The handler copies user-supplied ssidhex and pwd values directly into stack-allocated buffers using unbounded string operations. Linksys did not implement size constraints or safer string functions in the firmware versions identified.
Attack Vector
The attack vector is network-accessible. An authenticated attacker with low privileges sends a crafted HTTP request to /goform/RP_checkCredentialsByBBS containing oversized ssidhex or pwd parameters. No user interaction is required. The exploit can be initiated from the local network segment where the range extender's management interface is reachable. Public proof-of-concept material has been documented in the GitHub vulnerability repository.
No verified exploit code is reproduced here. Technical details and proof-of-concept artifacts are available at the GitHub PoC repository and VulDB entry #321062.
Detection Methods for CVE-2025-9359
Indicators of Compromise
- HTTP POST requests targeting /goform/RP_checkCredentialsByBBS with abnormally long ssidhex or pwd parameter values
- Unexpected reboots, crashes, or web service restarts on Linksys RE6250, RE6300, RE6350, RE6500, RE7000, or RE9000 devices
- Outbound connections from range extenders to unknown external IP addresses, suggesting post-exploitation command and control
Detection Strategies
- Inspect web traffic destined for range extender management interfaces for requests to /goform/RP_checkCredentialsByBBS with parameter lengths exceeding typical SSID (32 bytes) or passphrase (63 bytes) limits
- Deploy network intrusion detection signatures that flag oversized form parameters submitted to Linksys /goform/ endpoints
- Correlate authentication events on the range extender web interface with subsequent anomalous device behavior
Monitoring Recommendations
- Restrict and log all administrative access to range extender management interfaces using network segmentation and ACLs
- Monitor device uptime and process telemetry where available to detect repeated service crashes consistent with exploitation attempts
- Forward network flow logs from the management VLAN to a centralized analytics platform for retrospective hunting
How to Mitigate CVE-2025-9359
Immediate Actions Required
- Disable remote administration on affected Linksys range extenders and restrict management access to a trusted administrative VLAN
- Place affected devices behind a firewall that blocks untrusted access to TCP ports used by the web management interface
- Inventory the network for Linksys RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 devices running the affected firmware versions
- Plan replacement of affected range extenders if no vendor patch becomes available, particularly for end-of-life models
Patch Information
No vendor patch has been published. The disclosing party reports that Linksys was contacted early about this issue but did not respond. Monitor the Linksys official website for future firmware updates addressing this vulnerability. Until a patch is released, treat affected devices as unpatched and apply compensating network controls.
Workarounds
- Isolate range extenders on a dedicated network segment with strict ingress filtering to block untrusted hosts from reaching the management interface
- Change default credentials and enforce strong administrator passwords to raise the cost of the low-privilege precondition required for exploitation
- Where business requirements permit, replace affected end-of-life range extenders with currently supported hardware that receives security updates
# Example iptables rule to restrict access to the Linksys management interface
# Replace 192.0.2.10 with the range extender IP and 192.0.2.0/24 with the admin subnet
iptables -A FORWARD -s 192.0.2.0/24 -d 192.0.2.10 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -d 192.0.2.10 -p tcp --dport 80 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

