Introduction
Remote code execution on a network gateway can enable attackers to intercept traffic, deploy persistent malware, or pivot deeper into internal networks. CVE-2025-9526 targets the Linksys E1700 router (firmware 1.0.0.4.003) with a stack-based buffer overflow that is remotely exploitable and requires no authentication. Public exploit code is available and the vendor has not responded to disclosure attempts, leaving a significant attack surface for both opportunistic and targeted threats.
Technical Information
CVE-2025-9526 is a stack-based buffer overflow vulnerability in the setSysAdm function of the Linksys E1700 router, specifically firmware version 1.0.0.4.003. The flaw is triggered by sending an HTTP POST request to the /goform/setSysAdm endpoint with an overly long value in the rm_port parameter. The setSysAdm function copies this user-supplied parameter into a fixed-size stack buffer without performing proper bounds checking. This allows an attacker to overwrite adjacent stack memory, including the saved return address, and execute arbitrary code with root privileges.
Key technical details:
- Vulnerable endpoint:
/goform/setSysAdm - Vulnerable parameter:
rm_port(in POST data) - Vulnerable function:
setSysAdm - Firmware affected: 1.0.0.4.003 (Linksys E1700)
- Device architecture: MediaTek MT7620A SoC, Linux kernel 2.6.36
- No authentication required to trigger the vulnerability
The device's outdated Linux kernel and lack of modern exploit mitigations (such as ASLR or stack canaries) increase the likelihood of successful exploitation. The exploitation technique is consistent with other recent Linksys buffer overflow vulnerabilities, where attacker-controlled data is written past the end of a stack buffer, corrupting the return address and hijacking control flow. No public code snippet for the vulnerable function is available, but the exploitation method is well documented in related advisories.
Affected Systems and Versions
- Product: Linksys E1700 Wireless Router
- Firmware version: 1.0.0.4.003
- Only this specific firmware version is confirmed affected in public advisories
- The vulnerability is present regardless of configuration if the web management interface is accessible
Vendor Security History
Linksys is a major vendor in the consumer and SMB networking space. In 2025, multiple critical buffer overflow vulnerabilities have been reported in Linksys RE and E series products, including:
- CVE-2025-9355 (RE series, scheduleAdd function)
- CVE-2025-9358 (RE series, setSysAdm function)
- CVE-2025-9481 (RE series, setSysAdm function)
Several advisories report no vendor response or patch for these issues. Previous incidents, such as the 2019 Linksys Smart WiFi router information disclosure affecting over 25000 devices, also saw slow or absent vendor response. This pattern raises concerns about Linksys's secure development lifecycle and vulnerability management maturity.