How ZeroPath Works
Back to Blog

Linksys RE Series Buffer Overflow (CVE-2025-8822): Brief Summary and Technical Review

This post provides a brief summary and technical review of CVE-2025-8822, a stack-based buffer overflow in Linksys RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 range extenders up to firmware 20250801. The vulnerability allows remote unauthenticated exploitation via the /goform/setOpMode endpoint. No official patch or detection method is available at publication time.
CVE Analysis

8 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-08-10

Linksys RE Series Buffer Overflow (CVE-2025-8822): Brief Summary and Technical Review
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Remote attackers can take over Linksys RE series range extenders by exploiting a stack-based buffer overflow in the device's web interface. CVE-2025-8822 affects a wide range of popular consumer and SMB WiFi extenders, exposing networks to code execution risks with no authentication required.

Linksys is a major brand in the global consumer and SMB networking market, with millions of deployed devices. The RE series range extenders are widely used to expand wireless coverage in homes and offices, often running for years without updates or active management.

Technical Information

CVE-2025-8822 is a stack-based buffer overflow in the algDisable function of the /goform/setOpMode endpoint on Linksys RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 devices with firmware up to 20250801.

The vulnerability is triggered when a remote attacker sends an HTTP POST request to /goform/setOpMode with an opMode parameter whose value exceeds the size of the stack buffer allocated in the algDisable function. The function copies the opMode value into a fixed-size stack buffer without proper bounds checking. This allows the attacker to overwrite adjacent stack memory, including the saved return address, and potentially redirect execution to attacker-controlled code.

The endpoint is accessible without authentication, so any device reachable on the network (or internet, if exposed) is vulnerable. The vulnerability is classified as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow).

Public exploit code is available, which increases the risk of automated exploitation and inclusion in botnets or malware campaigns.

Affected Systems and Versions

  • Linksys RE6250, RE6300, RE6350, RE6500, RE7000, RE9000
  • All firmware versions up to and including 20250801
  • Devices with the web management interface accessible from untrusted networks are at highest risk

Vendor Security History

Linksys has a history of critical vulnerabilities in its networking products, especially in the RE series. Recent CVEs include:

  • CVE-2025-8816 and CVE-2025-8817: Stack-based buffer overflows in similar endpoints
  • CVE-2025-5438, CVE-2025-5441, CVE-2025-5442, CVE-2025-5443, CVE-2025-5445, CVE-2025-5446, CVE-2025-5447: Command injection vulnerabilities in the same device family
  • CVE-2025-34037: OS command injection in E-Series routers, exploited by TheMoon botnet

The vendor has not responded to disclosure attempts for CVE-2025-8822, and no patch is available as of publication.

References

Detect & fix
what others miss

Get startedBook a demo