Introduction
Remote attackers can take full control of Linksys RE series range extenders by exploiting a stack-based buffer overflow in the device's web management interface. This vulnerability affects millions of consumer and small business networks, exposing them to code execution and persistent compromise.
Linksys is a leading global vendor of consumer and SMB networking equipment, with a significant share of the wireless extender market. The RE series (RE6250, RE6300, RE6350, RE6500, RE7000, RE9000) are widely deployed for extending WiFi coverage in homes and offices. These devices are often managed via a web interface, making them accessible targets on internal networks and sometimes exposed to the Internet.
Technical Information
CVE-2025-9355 is a stack-based buffer overflow in the scheduleAdd function of Linksys RE series range extenders. The vulnerability is present in the HTTP endpoint /goform/scheduleAdd, which handles scheduling rules for the device. The flaw occurs because the function copies the ruleName parameter from the HTTP request into a fixed-size stack buffer without proper bounds checking.
When an attacker sends an HTTP POST request to /goform/scheduleAdd with an excessively long ruleName value, the buffer overflows, overwriting adjacent stack memory including the function's return address. This allows remote, unauthenticated attackers to execute arbitrary code with root privileges. The endpoint does not require authentication, so any network user with access to the device's management interface can exploit the flaw.
The vulnerability is present in the following firmware versions:
- 1.0.013.001
- 1.0.04.001
- 1.0.04.002
- 1.1.05.003
- 1.2.07.001
No public information indicates the use of stack canaries or other modern memory protections in these firmware versions. Public exploit code is available, making exploitation accessible to a wide range of attackers.
Affected Systems and Versions
The following Linksys RE series range extenders and firmware versions are affected:
- RE6250: 1.0.013.001
- RE6300: 1.0.04.001, 1.0.04.002
- RE6350: 1.0.04.001, 1.0.04.002
- RE6500: 1.1.05.003
- RE7000: 1.2.07.001
- RE9000: 1.2.07.001
All configurations where the web management interface is accessible are vulnerable. No authentication is required to exploit the flaw.
Vendor Security History
Linksys has a documented history of similar vulnerabilities in the RE series product line. Recent CVEs include:
- CVE-2025-8824: Stack-based buffer overflow in setRIP function
- CVE-2025-8822: Stack-based buffer overflow in algDisable function
- CVE-2025-8832: Stack-based buffer overflow in setDMZ function
- CVE-2025-8817: Stack-based buffer overflow in setLan function
- CVE-2025-8820: Stack-based buffer overflow in wirelessBasic
- CVE-2025-8816: Stack-based buffer overflow in setOpMode
Public sources indicate that Linksys has not responded to coordinated disclosure attempts for several of these issues, and no timely patches or advisories have been released for critical vulnerabilities in the RE series.