Introduction
Compromise of a wireless range extender can provide attackers with a foothold inside a private network, bypassing perimeter defenses and exposing sensitive traffic. CVE-2025-9356 is a high-severity stack-based buffer overflow in several widely deployed Linksys RE series range extenders, with public exploit code and no vendor patch available. The flaw is remotely exploitable and does not require authentication, making it a significant risk for both consumer and small business environments.
Linksys is a major global networking hardware vendor, known for its broad range of Wi-Fi routers, switches, and wireless extenders. The RE series is a popular line of range extenders designed to increase wireless coverage in homes and offices. These devices are commonly found in residential and small business networks worldwide.
Technical Information
CVE-2025-9356 is a stack-based buffer overflow vulnerability in the inboundFilterAdd function of Linksys RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 range extenders. The vulnerability is triggered by sending an HTTP request to the /goform/inboundFilterAdd endpoint with an overly long ruleName parameter. The function copies the ruleName value into a fixed-size buffer on the stack without adequate bounds checking. This allows an attacker to overwrite adjacent stack memory, including the saved return address, leading to arbitrary code execution.
The root cause is improper validation of user-supplied input in the ruleName parameter. The vulnerable code path does not enforce length restrictions before copying data to the stack buffer. As a result, a remote attacker can craft a request that overflows the buffer and hijacks control flow. This vulnerability is present in multiple firmware versions, indicating persistent insecure coding practices in the device firmware.
The flaw is remotely exploitable and does not require authentication. Public exploit code is available, making exploitation feasible for a wide range of attackers. The vulnerability is similar in nature to other stack-based buffer overflows reported in the same device family, such as CVE-2025-8824 (setRIP), CVE-2025-8819 (setWan), and CVE-2025-8822 (algDisable), all involving /goform/ endpoints and improper input validation.
Affected Systems and Versions
- Linksys RE6250 firmware 1.0.013.001
- Linksys RE6300 firmware 1.0.04.001
- Linksys RE6350 firmware 1.0.04.002
- Linksys RE6500 firmware 1.1.05.003
- Linksys RE7000 firmware 1.2.07.001
- Linksys RE9000 firmware 1.2.07.001
All configurations with these firmware versions are vulnerable. The vulnerability affects the inboundFilterAdd function accessible via the /goform/inboundFilterAdd endpoint.
Vendor Security History
Linksys has a documented history of memory safety vulnerabilities in its RE series range extenders. Multiple CVEs have been reported for stack-based buffer overflows (CVE-2025-8824, CVE-2025-8819, CVE-2025-8822, CVE-2025-8816) and OS command injection flaws in the same product line. Vendor response to coordinated disclosure has been poor, with no patches released for several critical vulnerabilities and a lack of engagement with security researchers. Previous Linksys vulnerabilities have been exploited by botnets such as TheMoon, highlighting the real-world risk of unpatched flaws in their devices.