How ZeroPath Works
Back to Blog

Linksys RE Series CVE-2025-8826: Brief Summary of Stack-Based Buffer Overflow in /goform/RP_setBasicAuto

This post provides a brief summary of CVE-2025-8826, a stack-based buffer overflow in Linksys RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 range extenders up to firmware 20250801. The vulnerability is remotely exploitable via the /goform/RP_setBasicAuto endpoint. No patch or detection guidance is currently available.
CVE Analysis

7 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-08-10

Linksys RE Series CVE-2025-8826: Brief Summary of Stack-Based Buffer Overflow in /goform/RP_setBasicAuto
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Remote attackers can take control of Linksys RE series range extenders by exploiting a stack-based buffer overflow in their web management interface. This flaw impacts a wide range of consumer and small business deployments, with no vendor patch or official remediation available as of this writing.

Linksys is a globally recognized networking hardware vendor, with millions of devices deployed in homes and offices. The RE series range extenders are among their most popular products, designed to extend wireless coverage in residential and small business environments. The company's firmware has faced repeated scrutiny for memory corruption and command injection vulnerabilities, particularly in recent years.

Technical Information

CVE-2025-8826 is a stack-based buffer overflow in the um_rp_autochannel function, exposed via the /goform/RP_setBasicAuto endpoint on Linksys RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 range extenders running firmware up to 20250801.

The vulnerability is triggered when an attacker submits an HTTP POST request with an overly long value for either the apcli_AuthMode_2G or apcli_AuthMode_5G parameter. The function copies these parameters into a fixed-size stack buffer without proper bounds checking. If the supplied value exceeds the buffer size, adjacent stack memory is overwritten, potentially including the function's return address. This can enable remote code execution if the attacker crafts the payload correctly.

The endpoint is accessible via the device's web management interface, and exploitation does not require authentication. The vulnerability falls under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow).

No patch or official workaround is available. The vendor has not responded to disclosure attempts.

Affected Systems and Versions

  • Linksys RE6250 (firmware up to 20250801)
  • Linksys RE6300 (firmware up to 20250801)
  • Linksys RE6350 (firmware up to 20250801)
  • Linksys RE6500 (firmware up to 20250801)
  • Linksys RE7000 (firmware up to 20250801)
  • Linksys RE9000 (firmware up to 20250801)

All configurations with the vulnerable firmware are affected. The vulnerability is present in the default configuration and does not require any special setup.

Vendor Security History

Linksys has a documented history of memory corruption and command injection vulnerabilities in its firmware, especially in the RE series. Recent disclosures include:

  • CVE-2025-8816: Stack-based buffer overflow in setOpMode
  • CVE-2025-8817: Stack-based buffer overflow in setLan
  • CVE-2025-5442: OS command injection in RP_pingGatewayByBBS
  • CVE-2025-5445: OS command injection in RP_checkFWByBBS
  • CVE-2025-5446: OS command injection in RP_checkCredentialsByBBS

Multiple advisories note that Linksys has not responded to coordinated disclosure attempts for these issues, and patches are often delayed or unavailable.

References

Detect & fix
what others miss

Get startedBook a demo