Introduction
Remote attackers can take full control of Linksys RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 range extenders by exploiting a stack-based buffer overflow in the wireless configuration interface. This vulnerability, tracked as CVE-2025-8820, affects devices running firmware up to 20250801 and has public exploit code available, making it a high-priority concern for any environment relying on these devices for wireless coverage.
Linksys is a leading manufacturer of consumer and small business networking hardware, with a global user base numbering in the millions. Their range extender product line is widely deployed in homes and small offices, making vulnerabilities in these devices particularly impactful across the industry.
Technical Information
CVE-2025-8820 is a stack-based buffer overflow in the wirelessBasic function of the /goform/wirelessBasic endpoint. The vulnerability is triggered when an attacker submits an HTTP request with an oversized value for the submit_SSID1 parameter. The device firmware copies this value into a fixed-size stack buffer without validating its length. As a result, the attacker can overwrite adjacent stack memory, including the function's return address, and achieve arbitrary code execution with the privileges of the device firmware.
Key technical points:
- The vulnerable code path is in the wirelessBasic function, accessible via /goform/wirelessBasic.
- The submit_SSID1 parameter is not properly bounds-checked before being copied into a stack buffer.
- Exploitation is possible remotely and does not require authentication.
- The vulnerability is classified as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow).
- Public exploit code is available, lowering the barrier for exploitation.
No code snippets from the device firmware are available in public sources. The vulnerability mechanism is consistent with other stack-based buffer overflows in embedded web interfaces, where unsafe string copy operations (such as strcpy) are used without proper length validation.
Affected Systems and Versions
The following Linksys range extender models and firmware versions are affected:
- RE6250 (firmware up to 20250801)
- RE6300 (firmware up to 20250801)
- RE6350 (firmware up to 20250801)
- RE6500 (firmware up to 20250801)
- RE7000 (firmware up to 20250801)
- RE9000 (firmware up to 20250801)
All configurations where the web management interface is accessible are vulnerable.
Vendor Security History
Linksys has experienced multiple critical vulnerabilities in its range extender product line in 2025, including:
- CVE-2025-8816 (stack-based buffer overflow in setOpMode function)
- CVE-2025-5445 (OS command injection in RP_checkFWByBBS)
- CVE-2025-5443, CVE-2025-5447, CVE-2025-5438 (other critical memory safety issues)
Reports indicate that Linksys has not responded to coordinated disclosure efforts for these vulnerabilities, and no patches have been released as of the disclosure date. This pattern raises concerns about the vendor's security maturity and responsiveness.