Introduction - Engaging opening that highlights real impact and significance
Remote attackers can take control of Linksys RE series range extenders by exploiting a critical stack-based buffer overflow, potentially leading to device takeover and network compromise. This vulnerability affects a broad population of consumer and small business devices, making it a significant concern for anyone relying on these models for wireless coverage.
Linksys is a major global provider of networking hardware, particularly known for its consumer and small business routers and range extenders. With millions of devices deployed worldwide, vulnerabilities in Linksys products have a direct impact on network security in homes and offices.
Technical Information
CVE-2025-8816 is a stack-based buffer overflow in the setOpMode function of the /goform/setOpMode endpoint on Linksys RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 range extenders running firmware up to 20250801. The vulnerability is triggered when an attacker sends an HTTP request with an oversized ethConv parameter. The function does not properly validate the length of ethConv before copying it into a fixed-size stack buffer, allowing the attacker to overwrite stack memory including the return address. This can result in arbitrary code execution with the privileges of the device firmware, and the attack can be performed remotely without authentication.
The vulnerability is classified as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow). Exploit code has been published publicly, lowering the barrier for exploitation.
Affected Systems and Versions (MUST BE SPECIFIC)
- Linksys RE6250, RE6300, RE6350, RE6500, RE7000, RE9000
- Firmware versions up to and including 20250801
- Devices are vulnerable in default configurations exposing the /goform/setOpMode endpoint
Vendor Security History (only if specific information available)
Linksys has experienced a series of similar vulnerabilities in recent years, including:
- CVE-2025-8817: Stack-based buffer overflow in setLan function (/goform/setLan) in the same device models and firmware versions
- CVE-2025-5445, CVE-2025-5447, CVE-2025-5443, CVE-2025-5438: Multiple OS command injection vulnerabilities in related functions
- CVE-2025-34037: OS command injection in E-Series routers, exploited by TheMoon worm
- CVE-2023-46012: Stack-based buffer overflow in EA7500 routers
- CVE-2014-125122: Stack-based buffer overflow in WRT120N
Multiple advisories note a lack of vendor response to coordinated disclosure, raising concerns about Linksys's vulnerability management and patch response processes.