Introduction
Remote attackers can achieve code execution on millions of consumer and small business networks by exploiting a stack-based buffer overflow in Linksys RE series range extenders. The flaw is present in the singlePortForwardAdd function, exposed via the device's web interface, and can be triggered without authentication. This vulnerability is part of a larger pattern of systemic memory safety failures in Linksys firmware, with over a dozen similar issues reported in 2025 alone.
Technical Information
CVE-2025-9483 is a stack-based buffer overflow in the singlePortForwardAdd function of Linksys RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 range extenders. The vulnerability is triggered by sending an HTTP POST request to the /goform/singlePortForwardAdd endpoint with oversized values in the ruleName, schedule, or inboundFilter parameters. The firmware copies these parameters into fixed-size stack buffers without proper bounds checking. This allows remote attackers to overwrite stack memory and potentially execute arbitrary code. The attack does not require authentication and can be performed from any device with network access to the range extender's administrative interface.
The root cause is the lack of input validation and bounds checking in the handling of user-supplied POST parameters. When an attacker submits a request with excessively long values for ruleName, schedule, or inboundFilter, the firmware's unsafe copy operation causes a classic stack-based buffer overflow. This can overwrite return addresses or function pointers on the stack, redirecting execution flow to attacker-controlled code. The vulnerability is present in multiple firmware versions and is consistent with other buffer overflow issues in the same product line, such as those affecting /goform/qosClassifier, /goform/portTriggerManageRule, and /goform/addStaProfile endpoints.
No modern memory protections such as stack canaries or ASLR are present in the affected firmware, increasing the reliability of exploitation. Public exploit code is available, lowering the technical barrier for attackers.
Affected Systems and Versions
- Linksys RE6250, RE6300, RE6350, RE6500, RE7000, RE9000
- Firmware versions: 1.0.013.001, 1.0.04.001, 1.0.04.002, 1.1.05.003, 1.2.07.001
- Vulnerable when the administrative interface is accessible on the network
Vendor Security History
Linksys has experienced a series of similar stack-based buffer overflow vulnerabilities in its RE series range extenders during 2025. Examples include CVE-2025-9392 (qosClassifier function), CVE-2025-9363 (portTriggerManageRule function), CVE-2025-9248 (RP_pingGatewayByBBS function), CVE-2025-9355 (scheduleAdd function), CVE-2025-9356 (inboundFilterAdd function), and CVE-2025-9393 (addStaProfile function). All share the same root cause: lack of input validation and unsafe memory handling in /goform/ endpoints. The vendor has not responded to coordinated disclosure attempts and has not released patches or advisories for these issues, indicating systemic problems in secure development and vulnerability management.