Skip to main content
CVE Vulnerability Database

CVE-2025-9362: Linksys RE6250 Buffer Overflow Vulnerability

CVE-2025-9362 is a stack-based buffer overflow vulnerability in Linksys RE6250 firmware affecting multiple range extender models. Attackers can exploit this remotely via the urlFilterManageRule function. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2025-9362 Overview

CVE-2025-9362 is a stack-based buffer overflow vulnerability affecting multiple Linksys Wi-Fi range extenders, including the RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000. The flaw exists in the urlFilterManageRule function within the /goform/urlFilterManageRule endpoint. Attackers can trigger the overflow by manipulating the urlFilterRuleName, scheduleUrl, or addURLFilter arguments. The vulnerability is exploitable remotely over the network and is tracked under CWE-119 for improper restriction of operations within memory buffer bounds. According to the VulDB advisory, the vendor was contacted prior to disclosure but did not respond.

Critical Impact

Remote attackers with low-privilege authentication can corrupt memory on affected Linksys range extenders, potentially disrupting service or influencing program control flow.

Affected Products

  • Linksys RE6250 firmware 1.0.04.001 and RE6350 firmware 1.0.04.001
  • Linksys RE6300 firmware 1.2.07.001 and RE6500 firmware 1.0.013.001
  • Linksys RE7000 firmware 1.1.05.003 and RE9000 firmware 1.0.04.002

Discovery Timeline

  • 2025-08-23 - CVE-2025-9362 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-9362

Vulnerability Analysis

The vulnerability resides in the urlFilterManageRule function handling requests to the /goform/urlFilterManageRule web interface endpoint. This handler processes URL filtering rules submitted through the device's administrative interface. The function copies user-supplied data from the urlFilterRuleName, scheduleUrl, and addURLFilter parameters into fixed-size stack buffers without validating input length.

When an attacker supplies an oversized value for any of these three parameters, the copy operation writes past the allocated buffer boundary. This corrupts adjacent stack memory, including saved return addresses and frame pointers. The result is memory corruption that can crash the device or, depending on the binary layout, redirect execution flow.

According to the public technical writeup, the issue affects a shared codebase across multiple RE-series range extenders. The EPSS score is 0.514% with a percentile of 39.695, indicating limited observed exploitation activity at this time.

Root Cause

The root cause is missing bounds checking on three HTTP parameters processed by urlFilterManageRule. The function uses unsafe string-copy primitives that do not enforce destination buffer size limits, classifying the flaw under CWE-119. Embedded firmware in consumer range extenders often lacks stack canaries and address-space layout randomization, which amplifies the impact of such overflows.

Attack Vector

An attacker with network access and low-privilege credentials to the device's web management interface sends a crafted HTTP request to /goform/urlFilterManageRule. The request includes an oversized payload in urlFilterRuleName, scheduleUrl, or addURLFilter. The attack does not require user interaction. Devices exposing the administrative interface to untrusted networks face higher risk.

No verified proof-of-concept code is available in the realCodeExamples set. Refer to the GitHub vulnerability documentation for technical details on parameter structure and reproduction steps.

Detection Methods for CVE-2025-9362

Indicators of Compromise

  • HTTP POST requests to /goform/urlFilterManageRule containing unusually long values in urlFilterRuleName, scheduleUrl, or addURLFilter parameters.
  • Unexpected reboots, web interface crashes, or service unavailability on Linksys RE-series range extenders following administrative requests.
  • Repeated authentication attempts against the device admin portal from unfamiliar source IP addresses preceding malformed requests.

Detection Strategies

  • Deploy network intrusion detection rules that inspect HTTP request bodies destined for /goform/urlFilterManageRule and flag parameter values exceeding expected lengths.
  • Capture device syslog or remote logging output and alert on watchdog resets or HTTP daemon restarts correlated with administrative traffic.
  • Inventory all Linksys range extenders on the network and verify firmware versions against the affected list above.

Monitoring Recommendations

  • Monitor outbound connections from range extenders for unexpected destinations that could indicate post-exploitation activity.
  • Track configuration changes to URL filtering rules via management console audit logs.
  • Review authentication logs for anomalous access patterns to administrative endpoints from internal client subnets.

How to Mitigate CVE-2025-9362

Immediate Actions Required

  • Restrict access to the device administrative web interface to trusted management subnets only and disable remote administration over WAN.
  • Change default and weak administrator credentials on all affected Linksys RE-series devices.
  • Segment range extenders onto a dedicated VLAN isolated from sensitive endpoints and servers.
  • Consider replacing end-of-support models if the vendor does not provide a patched firmware release.

Patch Information

No vendor patch is currently available. According to the VulDB entry, Linksys was contacted about the disclosure but did not respond. Monitor the Linksys official website for firmware updates addressing CVE-2025-9362 and apply them as soon as they are released.

Workarounds

  • Disable the URL filtering feature on affected devices if it is not required in your environment.
  • Place affected range extenders behind a firewall that blocks unsolicited HTTP/HTTPS access to the administrative port.
  • Replace affected models with currently supported networking hardware where feasible, particularly for devices reaching end-of-life status.
bash
# Example: restrict admin interface access using upstream firewall rules
iptables -A FORWARD -p tcp -d <range_extender_ip> --dport 80 -s <trusted_mgmt_subnet> -j ACCEPT
iptables -A FORWARD -p tcp -d <range_extender_ip> --dport 80 -j DROP
iptables -A FORWARD -p tcp -d <range_extender_ip> --dport 443 -s <trusted_mgmt_subnet> -j ACCEPT
iptables -A FORWARD -p tcp -d <range_extender_ip> --dport 443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.