Introduction
Remote attackers can gain full control over Linksys RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 range extenders by exploiting a stack-based buffer overflow in the setSysAdm function. The flaw is present in multiple firmware versions and has a public exploit available, making it a significant risk for any network using these devices.
Linksys is a major networking hardware vendor with a global presence in consumer and small business markets. The RE series is widely deployed for wireless range extension in homes and offices. Linksys has faced a series of critical vulnerabilities in this product line, with multiple buffer overflows reported in 2025 alone and a pattern of unresponsiveness to coordinated disclosure.
Technical Information
CVE-2025-9358 is a stack-based buffer overflow in the setSysAdm function of the Linksys RE series web management interface. The vulnerability is triggered when an attacker sends an HTTP POST request to the /goform/setSysAdm endpoint with an admpasshint parameter that exceeds the size of the destination stack buffer. The firmware copies the admpasshint value into a fixed-size buffer without proper bounds checking. This allows remote, unauthenticated attackers to overwrite stack memory, including the function's return address, which can lead to arbitrary code execution as root.
The root cause is improper handling of user-supplied input in the setSysAdm function. The firmware fails to validate the length of the admpasshint parameter before copying it into a stack buffer. This is a classic example of a stack-based buffer overflow (CWE-121, CWE-119) and is similar to other recent flaws in Linksys RE firmware where multiple endpoints fail to enforce input size limits.
No code snippet is available from public sources for this vulnerability.
Affected Systems and Versions
The following Linksys range extenders and firmware versions are affected:
- RE6250: 1.0.013.001
- RE6300: 1.0.04.001
- RE6350: 1.0.04.002
- RE6500: 1.1.05.003
- RE7000: 1.2.07.001
- RE9000: 1.2.07.001
All listed versions are vulnerable. The flaw is present in the default configuration as the web management interface is enabled by default.
Vendor Security History
Linksys has a documented history of stack-based buffer overflow vulnerabilities in the RE series. Multiple CVEs were reported in 2025 for similar flaws in different firmware functions. The vendor has not responded to coordinated disclosure attempts for these issues and has not released patches or advisories. This indicates systemic issues in secure development and vulnerability management processes.