Introduction
Attackers can remotely execute arbitrary code on Linksys RE-series range extenders by exploiting a stack-based buffer overflow in the addStaProfile function. This issue affects millions of consumer and small business wireless networks, as no patch is available and the exploit is public.
Linksys is a major global vendor of networking equipment, especially for residential and small business markets. Their RE-series range extenders are widely deployed to improve Wi-Fi coverage. The affected models and firmware versions are broadly used, and the vulnerability impacts the integrity of internal network segments where these devices are installed.
Technical Information
CVE-2025-9393 is a stack-based buffer overflow vulnerability in the addStaProfile function, which is accessible via the /goform/addStaProfile HTTP endpoint on affected Linksys RE-series range extenders. The vulnerability is triggered when an attacker sends a crafted HTTP POST request with oversized values in one or more of the following parameters:
- profile_name
- Ssid
- wep_key_1
- wep_key_2
- wep_key_3
- wep_key_4
- wep_key_length
- wep_default_key
- cipher
- passphrase
The firmware copies these user-supplied values into fixed-size stack buffers without proper bounds checking. This leads to stack memory corruption, which can be exploited to achieve arbitrary code execution as the web server process (typically with high privileges on embedded devices). No authentication is required to reach the vulnerable code path, so exploitation can be performed remotely.
The root cause is the lack of input validation and unsafe buffer handling in the firmware. This pattern is consistent with other vulnerabilities in the same product line, such as CVE-2025-9248, CVE-2025-9253, CVE-2025-9356, CVE-2025-9355, and CVE-2025-9360. All involve similar failures to validate input length before copying data into stack-allocated buffers.
No patch or official mitigation is available. The exploit is public, and the vulnerability is actively discussed in security research channels.
Affected Systems and Versions
The following Linksys RE-series range extender models and firmware versions are affected:
- RE6250 firmware 1.0.013.001
- RE6300 firmware 1.0.04.001
- RE6350 firmware 1.0.04.002
- RE6500 firmware 1.1.05.003
- RE7000 firmware 1.2.07.001
- RE9000 firmware 1.2.07.001
All configurations exposing the /goform/addStaProfile endpoint are vulnerable.
Vendor Security History
Linksys has a documented pattern of stack-based buffer overflow vulnerabilities in its RE-series range extenders. Recent CVEs include:
- CVE-2025-9248 (RP_pingGatewayByBBS function, ssidhex parameter)
- CVE-2025-9253 (RP_doSpecifySiteSurvey function, ssidhex parameter)
- CVE-2025-9356 (inboundFilterAdd function)
- CVE-2025-9355 (scheduleAdd function)
- CVE-2025-9360 (accessControlAdd function)
The vendor has not responded to coordinated disclosure attempts for these issues, and no patches or advisories have been released for CVE-2025-9393 or related vulnerabilities. This indicates systemic weaknesses in Linksys's secure development and incident response processes.