How ZeroPath Works
Back to Blog

Linksys RE6250/6300/6350/6500/7000/9000 CVE-2025-9481 Buffer Overflow: Brief Technical Review

A brief summary of CVE-2025-9481, a stack-based buffer overflow in Linksys RE series range extenders. This post covers technical details, affected versions, and vendor security history based on available public information.
CVE Analysis

7 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-08-26

Linksys RE6250/6300/6350/6500/7000/9000 CVE-2025-9481 Buffer Overflow: Brief Technical Review
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Remote attackers can gain code execution on widely deployed Linksys RE series range extenders due to a stack-based buffer overflow in the setIpv6 function. This vulnerability affects millions of consumer and small business networks, with public exploit code already available and no vendor patch or advisory at the time of writing.

Linksys is a major networking hardware vendor with a global footprint in consumer and SMB markets. Their RE series range extenders are commonly used to expand WiFi coverage in homes and offices. The company has a history of similar vulnerabilities in this product line, and public sources indicate a pattern of slow or absent response to coordinated security disclosures.

Technical Information

CVE-2025-9481 is a stack-based buffer overflow in the setIpv6 function, accessible via the /goform/setIpv6 HTTP endpoint on affected Linksys RE series devices. The vulnerability arises from improper handling of the tunrd_Prefix parameter in HTTP POST requests. Specifically, the function copies user-supplied data from this parameter into a fixed-size stack buffer without validating its length. This allows an attacker to overwrite adjacent stack memory, including the return address, leading to arbitrary code execution.

Key technical points:

  • The vulnerable code path is triggered by an HTTP POST to /goform/setIpv6 with an oversized tunrd_Prefix value.
  • No authentication is required to exploit the vulnerability.
  • The flaw is present in multiple firmware versions, indicating a systemic input validation issue.
  • Public exploit code exists, lowering the barrier for exploitation.

No official code snippet has been published by the vendor or in advisories. For further technical details and exploit references, see the linked external research.

Affected Systems and Versions

The following Linksys RE series models and firmware versions are affected:

  • RE6250: 1.0.013.001
  • RE6300: 1.0.04.001
  • RE6350: 1.0.04.002
  • RE6500: 1.1.05.003
  • RE7000: 1.2.07.001
  • RE9000: 1.2.07.001

All configurations exposing the /goform/setIpv6 endpoint are vulnerable.

Vendor Security History

Linksys has experienced multiple critical buffer overflow vulnerabilities in the same RE series product line, including:

  • CVE-2025-9355 (scheduleAdd endpoint)
  • CVE-2025-8826 (various endpoints)
  • CVE-2025-9357 (other /goform/ endpoints)
  • CVE-2025-8831 (remoteManagement endpoint)

Public sources report a pattern of slow or absent vendor response to coordinated disclosure, with no patches or advisories released for these issues as of the publication date.

References

Detect & fix
what others miss

Get startedBook a demo