Introduction
Remote attackers can take full control of vulnerable Linksys range extenders by exploiting a stack buffer overflow in the device's web interface. This issue affects a wide range of popular models used in homes and small businesses, exposing networks to code execution and persistent compromise.
Linksys is a well-known brand in the consumer and SMB networking market, with millions of devices deployed worldwide. The RE series (RE6250, RE6300, RE6350, RE6500, RE7000, RE9000) are commonly used for wireless range extension and mesh networking in both residential and commercial settings. The security of these devices is critical for the integrity of local networks and the privacy of users.
Technical Information
CVE-2025-8832 is a stack-based buffer overflow vulnerability in the setDMZ function of the Linksys RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 range extenders, affecting firmware up to version 20250801. The vulnerability is present in the HTTP management interface, specifically the /goform/setDMZ endpoint.
The root cause is insufficient bounds checking on the DMZIPAddress parameter. When a user (or attacker) submits a request to configure the DMZ settings, the value of DMZIPAddress is copied into a fixed-size stack buffer without verifying its length. If the input exceeds the buffer size, stack memory is overwritten, including the function's return address. This classic memory corruption bug allows an attacker to redirect execution flow and run arbitrary code on the device.
The attack can be performed remotely and does not require authentication. Exploit code is publicly available, making it feasible for attackers to automate scanning and exploitation of exposed devices. The vulnerability is due to a lack of proper input validation and secure coding practices in the firmware's web interface.
No code snippet is provided in the public sources, but the technical analysis confirms the vulnerability mechanism and affected parameter. The flaw is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow).
Affected Systems and Versions
- Linksys RE6250, firmware up to 20250801
- Linksys RE6300, firmware up to 20250801
- Linksys RE6350, firmware up to 20250801
- Linksys RE6500, firmware up to 20250801
- Linksys RE7000, firmware up to 20250801
- Linksys RE9000, firmware up to 20250801
The vulnerability is present in the default configuration, as the web management interface and /goform/setDMZ endpoint are enabled by default on these devices.
Vendor Security History
Linksys has a recurring history of memory safety issues in its firmware, particularly in the RE series. Recent CVEs include:
- CVE-2025-8817: Stack buffer overflow in setLan (lan2enabled parameter)
- CVE-2025-8816: Stack buffer overflow in setOpMode
- CVE-2025-8819: Stack buffer overflow in setWan
- Multiple command injection vulnerabilities (CVE-2025-5441, CVE-2025-5442, CVE-2025-5446)
In all these cases, public disclosure occurred without timely vendor advisories or patches. The vendor has not responded to coordinated disclosure efforts for CVE-2025-8832 and related issues, and no official mitigations or updates have been released.