How ZeroPath Works
Back to Blog

Linksys RE Series Stack Buffer Overflow (CVE-2025-9357): Brief Summary and Technical Review

This post provides a brief summary and technical review of CVE-2025-9357, a stack-based buffer overflow in Linksys RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 range extenders. The vulnerability is remotely exploitable via the langSelectionOnly parameter in the langSwitchByBBS function. No patch or detection method is available at this time.
CVE Analysis

8 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-08-22

Linksys RE Series Stack Buffer Overflow (CVE-2025-9357): Brief Summary and Technical Review
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Remote attackers can achieve arbitrary code execution on Linksys RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 range extenders by exploiting a stack-based buffer overflow in the web management interface. With no authentication required and public exploit code available, this vulnerability puts millions of consumer and small business networks at risk of compromise.

Linksys is a major global vendor of consumer and SMB networking equipment, with a large installed base of wireless routers and range extenders. The RE series is widely used in homes and offices to extend wireless coverage, making these devices a significant target for attackers seeking access to internal networks.

Technical Information

CVE-2025-9357 is a stack-based buffer overflow in the langSwitchByBBS function, which is accessible via the HTTP endpoint /goform/langSwitchByBBS. The vulnerability is triggered by the langSelectionOnly parameter, which is copied into a fixed-size stack buffer without proper bounds checking. This allows a remote attacker to send an overlong value for langSelectionOnly, overwriting stack memory including the return address and potentially achieving arbitrary code execution.

The vulnerability is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow). The attack requires no authentication and can be performed remotely over the network. Public exploit code is available for similar vulnerabilities in the same codebase, increasing the likelihood of exploitation.

Multiple related CVEs (including CVE-2025-8833) have been reported in the same parameter and function family, indicating a systemic lack of input validation and memory safety controls in the Linksys RE series firmware. The root cause is the use of unsafe string handling functions that do not check buffer boundaries when copying user-supplied data.

Affected Systems and Versions (MUST BE SPECIFIC)

  • Linksys RE6250 with firmware 1.0.013.001
  • Linksys RE6300 with firmware 1.0.04.001 and 1.0.04.002
  • Linksys RE6350 with firmware 1.0.04.001 and 1.0.04.002
  • Linksys RE6500 with firmware 1.1.05.003
  • Linksys RE7000 with firmware 1.2.07.001
  • Linksys RE9000 with firmware 1.2.07.001

All configurations with the above firmware versions are vulnerable if the web management interface is accessible.

Vendor Security History (only if specific information available)

Linksys has a documented history of stack-based buffer overflows and related memory safety issues in its RE series firmware. Multiple CVEs in 2025 (CVE-2025-8832, CVE-2025-8819, CVE-2025-8817, CVE-2025-8824, CVE-2025-8820, CVE-2025-8816, CVE-2025-8833) show a pattern of insufficient input validation and slow or absent vendor response. Linksys has not provided patches or public statements for this issue as of publication.

References

Detect & fix
what others miss

Get startedBook a demo