Introduction
Attackers can remotely compromise Linksys range extenders in both home and business networks by exploiting a stack-based buffer overflow in the device's web management interface. This flaw, tracked as CVE-2025-8824, affects several widely deployed models and enables arbitrary code execution without authentication, putting network integrity and user data at risk.
Linksys is a major brand in consumer and small business networking, with millions of devices deployed globally. Its RE series range extenders are popular for extending wireless coverage in homes and offices. Security issues in these products have broad impact due to their prevalence and the critical role they play in network infrastructure.
Technical Information
CVE-2025-8824 is a stack-based buffer overflow vulnerability in the setRIP function of the /goform/setRIP endpoint on Linksys RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 devices running firmware up to 20250801. The vulnerability is triggered by sending an HTTP request to /goform/setRIP with a crafted value for either the RIPmode or RIPpasswd parameter. The device firmware fails to validate the length of these parameters before copying them into a fixed-size stack buffer.
This improper input handling allows an attacker to overflow the buffer and overwrite adjacent stack memory, including control data such as return addresses. Because the vulnerable endpoint does not require authentication, the attack can be performed remotely by anyone with network access to the device's web interface. The vulnerability is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow).
Exploit code for this vulnerability has been published publicly, making it accessible to a wide range of attackers. The flaw is present in all firmware versions up to and including 20250801 for the affected models. No patch is available at this time, and the vendor has not responded to disclosure attempts.
Affected Systems and Versions
- Linksys RE6250 (firmware up to and including 20250801)
- Linksys RE6300 (firmware up to and including 20250801)
- Linksys RE6350 (firmware up to and including 20250801)
- Linksys RE6500 (firmware up to and including 20250801)
- Linksys RE7000 (firmware up to and including 20250801)
- Linksys RE9000 (firmware up to and including 20250801)
All configurations exposing the /goform/setRIP endpoint are vulnerable.
Vendor Security History
Linksys has a documented history of similar vulnerabilities in its networking products, including multiple buffer overflows and command injection flaws. For example, CVE-2025-8816 describes a stack-based buffer overflow in the setOpMode function affecting the same device models. The vendor has been criticized for slow or absent responses to coordinated vulnerability disclosures. In the case of CVE-2025-8824, Linksys did not respond to early disclosure attempts and has not released a patch as of the publication date. This pattern is consistent with previous vulnerabilities such as CVE-2025-5445 and CVE-2025-5446.