Introduction
Remote attackers can gain code execution on Linksys RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 range extenders by exploiting a stack-based buffer overflow in the device's web management interface. With no patch available and public exploits circulating, this vulnerability exposes a large population of consumer and SMB networks to compromise.
Linksys is a globally recognized networking hardware vendor, part of Belkin and Foxconn, with a significant share of the consumer and small business WiFi market. The RE series range extenders are widely deployed for wireless coverage extension, making vulnerabilities in these products impactful for millions of users worldwide.
Technical Information
CVE-2025-9359 is a stack-based buffer overflow in the RP_checkCredentialsByBBS function, accessible via the /goform/RP_checkCredentialsByBBS endpoint on affected Linksys RE series devices. The vulnerability is triggered when the ssidhex or pwd parameters in an HTTP POST request are not properly validated for length before being copied into fixed-size stack buffers.
When an attacker submits an oversized value for either parameter, the function performs an unsafe copy operation, causing stack memory corruption. This can overwrite the return address or function pointers on the stack, leading to arbitrary code execution under the context of the device firmware. The vulnerability is remotely exploitable and does not require authentication.
The issue is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow). The root cause is lack of input length validation and unsafe memory handling in the web interface code. Public exploit code and detailed technical writeups are available, making exploitation accessible to a wide range of attackers.
Affected Systems and Versions
The following Linksys range extenders and firmware versions are affected:
- RE6250: 1.0.013.001
- RE6300: 1.0.04.001, 1.0.04.002
- RE6350: 1.0.04.001, 1.0.04.002
- RE6500: 1.1.05.003
- RE7000: 1.2.07.001
- RE9000: 1.2.07.001
All configurations with the web management interface enabled are vulnerable.
Vendor Security History
Linksys has a documented history of similar vulnerabilities in the RE series firmware. Notable related CVEs include:
- CVE-2025-9355: Stack-based buffer overflow in scheduleAddviaruleName
- CVE-2025-9356: Stack-based buffer overflow in inboundFilterAddviaruleName
- CVE-2025-8832: Stack-based buffer overflow in setDMZviaDMZIPAddress
- CVE-2025-8833: Stack-based buffer overflow in langSwitchBackvialangSelectionOnly
For all of these, the vendor did not respond to coordinated disclosure attempts and no official patches have been released. This pattern indicates persistent issues in secure development and vulnerability management practices.
