How ZeroPath Works
Back to Blog

Linksys RE Series CVE-2025-9359 Stack Buffer Overflow: Brief Summary and Technical Review

A brief summary of CVE-2025-9359, a stack-based buffer overflow in Linksys RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 range extenders. This post covers affected versions, technical details, and vendor security history. No patch or detection methods are currently available.
CVE Analysis

8 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-08-23

Linksys RE Series CVE-2025-9359 Stack Buffer Overflow: Brief Summary and Technical Review
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Remote attackers can gain code execution on Linksys RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 range extenders by exploiting a stack-based buffer overflow in the device's web management interface. With no patch available and public exploits circulating, this vulnerability exposes a large population of consumer and SMB networks to compromise.

Linksys is a globally recognized networking hardware vendor, part of Belkin and Foxconn, with a significant share of the consumer and small business WiFi market. The RE series range extenders are widely deployed for wireless coverage extension, making vulnerabilities in these products impactful for millions of users worldwide.

Technical Information

CVE-2025-9359 is a stack-based buffer overflow in the RP_checkCredentialsByBBS function, accessible via the /goform/RP_checkCredentialsByBBS endpoint on affected Linksys RE series devices. The vulnerability is triggered when the ssidhex or pwd parameters in an HTTP POST request are not properly validated for length before being copied into fixed-size stack buffers.

When an attacker submits an oversized value for either parameter, the function performs an unsafe copy operation, causing stack memory corruption. This can overwrite the return address or function pointers on the stack, leading to arbitrary code execution under the context of the device firmware. The vulnerability is remotely exploitable and does not require authentication.

The issue is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow). The root cause is lack of input length validation and unsafe memory handling in the web interface code. Public exploit code and detailed technical writeups are available, making exploitation accessible to a wide range of attackers.

Affected Systems and Versions

The following Linksys range extenders and firmware versions are affected:

  • RE6250: 1.0.013.001
  • RE6300: 1.0.04.001, 1.0.04.002
  • RE6350: 1.0.04.001, 1.0.04.002
  • RE6500: 1.1.05.003
  • RE7000: 1.2.07.001
  • RE9000: 1.2.07.001

All configurations with the web management interface enabled are vulnerable.

Vendor Security History

Linksys has a documented history of similar vulnerabilities in the RE series firmware. Notable related CVEs include:

  • CVE-2025-9355: Stack-based buffer overflow in scheduleAdd via ruleName
  • CVE-2025-9356: Stack-based buffer overflow in inboundFilterAdd via ruleName
  • CVE-2025-8832: Stack-based buffer overflow in setDMZ via DMZIPAddress
  • CVE-2025-8833: Stack-based buffer overflow in langSwitchBack via langSelectionOnly

For all of these, the vendor did not respond to coordinated disclosure attempts and no official patches have been released. This pattern indicates persistent issues in secure development and vulnerability management practices.

References

Detect & fix
what others miss

Get startedBook a demo