Skip to main content
CVE Vulnerability Database

CVE-2025-9360: Linksys Re6250 Buffer Overflow Vulnerability

CVE-2025-9360 is a stack-based buffer overflow flaw in Linksys RE6250 firmware that allows remote attackers to exploit the accessControlAdd function. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-9360 Overview

CVE-2025-9360 is a stack-based buffer overflow [CWE-119] affecting multiple Linksys range extender models, including the RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000. The flaw resides in the accessControlAdd function exposed through the /goform/accessControlAdd endpoint. Attackers can manipulate the ruleName or schedule parameters to overflow a fixed-size stack buffer. The attack is remotely exploitable across the network and requires only low-level privileges. Public proof-of-concept material has been disclosed, and the vendor did not respond to coordinated disclosure attempts.

Critical Impact

Remote attackers with low privileges can corrupt the stack of the device web service, potentially crashing the extender or executing arbitrary code on the embedded firmware.

Affected Products

  • Linksys RE6250 firmware 1.0.04.001
  • Linksys RE6300 firmware 1.2.07.001
  • Linksys RE6350 firmware 1.0.04.001, RE6500 firmware 1.0.013.001
  • Linksys RE7000 firmware 1.1.05.003 and RE9000 firmware 1.0.04.002

Discovery Timeline

  • 2025-08-23 - CVE-2025-9360 published to NVD
  • 2025-09-02 - Last updated in NVD database

Technical Details for CVE-2025-9360

Vulnerability Analysis

The vulnerability resides in the accessControlAdd handler implemented in the Linksys range extender web management interface. The handler is reachable through the /goform/accessControlAdd URI and accepts user-supplied parameters used to configure access control rules. Two of those parameters, ruleName and schedule, are copied into fixed-size stack buffers without enforcing length limits. An authenticated request carrying oversized values overruns the buffer, corrupting adjacent stack memory including saved return addresses.

The goform interface is implemented in the web server binary that runs with elevated privileges on the embedded Linux firmware. Successful exploitation may produce a denial of service or arbitrary code execution depending on stack protections present in the firmware build. The public disclosure on GitHub documents the offending parameters and provides reproduction steps.

Root Cause

The root cause is the absence of bounds checking when copying the ruleName and schedule HTTP parameters into local stack buffers inside accessControlAdd. The handler trusts the length of attacker-controlled input rather than validating it against the destination buffer size, satisfying the classic [CWE-119] pattern.

Attack Vector

An attacker reachable over the network sends a crafted HTTP POST request to /goform/accessControlAdd containing an oversized ruleName or schedule value. The required privilege level is low, consistent with authenticated access to the device administration interface. No user interaction is required. See the GitHub vulnerability documentation and the public proof of concept for the exact request structure.

No verified exploit code is republished here. Refer to the linked advisory for technical reproduction details.

Detection Methods for CVE-2025-9360

Indicators of Compromise

  • HTTP POST requests to /goform/accessControlAdd containing abnormally long ruleName or schedule parameter values.
  • Unexpected reboots, web service crashes, or watchdog resets on affected Linksys RE-series extenders.
  • New or unexplained access control rules appearing in the device configuration after external requests.

Detection Strategies

  • Inspect inbound and lateral HTTP traffic for requests to the /goform/accessControlAdd endpoint, focusing on parameter lengths that exceed typical rule name sizes.
  • Correlate device crash logs or syslog reboots with preceding HTTP administrative traffic from non-administrator hosts.
  • Alert on any administrative HTTP access to range extenders originating from untrusted network segments.

Monitoring Recommendations

  • Forward Linksys extender syslog data to a centralized logging platform and baseline normal management activity.
  • Monitor the network segment hosting IoT and consumer-grade devices for unauthorized HTTP POSTs to /goform/* URIs.
  • Track outbound connections from extenders for signs of post-exploitation command-and-control traffic.

How to Mitigate CVE-2025-9360

Immediate Actions Required

  • Restrict the device web management interface to trusted management VLANs and block it from guest or untrusted networks.
  • Change default administrative credentials on all affected Linksys RE-series extenders to limit who can reach the authenticated accessControlAdd endpoint.
  • Inventory deployed RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 units against the affected firmware versions and prioritize replacement of unsupported models.

Patch Information

No vendor patch is referenced in the advisory. According to the disclosure, Linksys was contacted early but did not respond. Until an official fix is released, treat affected models as unpatched and apply network-level compensating controls. Monitor the Linksys support site and the VulDB entry for updates.

Workarounds

  • Disable remote management on the extender and require local LAN access for any administrative change.
  • Place affected devices behind a firewall rule set that blocks inbound HTTP and HTTPS to the device from any untrusted source.
  • Replace end-of-life RE-series extenders with currently supported hardware that receives security updates.
bash
# Example firewall rule to block external access to the extender admin UI
# Replace 192.0.2.10 with the extender LAN IP
iptables -I FORWARD -d 192.0.2.10 -p tcp --dport 80 -j DROP
iptables -I FORWARD -d 192.0.2.10 -p tcp --dport 443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.