Introduction
Remote attackers can gain code execution on Linksys RE series range extenders through a stack-based buffer overflow in the device's web interface. This vulnerability affects a significant portion of consumer and small business wireless infrastructure, with public exploits already available and no vendor patch in sight.
Linksys is a major player in the consumer and SMB networking market, with millions of devices deployed globally. The RE series range extenders are widely used to improve wireless coverage in homes and offices, making vulnerabilities in these devices highly impactful for network security.
Technical Information
CVE-2025-9392 is a stack-based buffer overflow in the qosClassifier function of the /goform/qosClassifier endpoint on Linksys RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 range extenders. The vulnerability is present in firmware versions 1.0.013.001, 1.0.04.001, 1.0.04.002, 1.1.05.003, and 1.2.07.001.
The flaw arises because the qosClassifier function copies user-supplied values for parameters such as dir, sFromPort, sToPort, dFromPort, dToPort, protocol, layer7, dscp, and remark_dscp into stack-allocated buffers without proper bounds checking. When an attacker sends an HTTP POST request to /goform/qosClassifier with excessively long values for any of these parameters, the buffer is overflowed, leading to stack corruption. This can allow the attacker to overwrite the function's return address and execute arbitrary code on the device.
The attack is remotely exploitable and does not require authentication. The lack of stack canaries, ASLR, or DEP in the affected firmware versions makes exploitation more reliable. Multiple parameters are affected, giving attackers flexibility in crafting payloads.
Proof of Concept
The vulnerability in Linksys RE series devices, specifically models RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000, involves a stack-based buffer overflow in the /goform/qosClassifier endpoint. This flaw arises when excessively long input is provided to parameters such as dir, sFromPort, sToPort, dFromPort, dToPort, protocol, layer7, dscp, and remark_dscp. By sending a crafted HTTP POST request with oversized values for these parameters, an attacker can overwrite the stack, potentially leading to arbitrary code execution. This exploit can be executed remotely without authentication, making it particularly dangerous. A proof-of-concept exploit has been publicly disclosed, demonstrating the ease with which this vulnerability can be exploited.
References: https://vuldb.com/?id.321225
Affected Systems and Versions
- Linksys RE6250: firmware 1.0.013.001
- Linksys RE6300: firmware 1.0.04.001
- Linksys RE6350: firmware 1.0.04.002
- Linksys RE6500: firmware 1.1.05.003
- Linksys RE7000: firmware 1.2.07.001
- Linksys RE9000: firmware 1.2.07.001
All configurations with the vulnerable firmware versions are affected.
Vendor Security History
Linksys has experienced a series of similar vulnerabilities in the RE series throughout 2025, including multiple stack-based buffer overflows in web interface endpoints. The vendor has a documented pattern of not responding to coordinated disclosure attempts, with no advisories or patches released for several critical issues. This suggests ongoing systemic security challenges in their firmware development and vulnerability management processes.