Overview
CVE-2025-9246 is a critical vulnerability found in several models of Linksys wireless range extenders. This flaw exposes the devices to the risk of a stack-based buffer overflow attack, which can be executed remotely. The affected devices include Linksys models RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000. This vulnerability is of significant importance because of the potential for system compromise and data leakage. The vendor, Linksys, has been contacted about the issue but has yet to respond or provide a patch.
Vulnerability Summary
CVE ID: CVE-2025-9246
Severity: Critical (CVSS 8.8)
Attack Vector: Remote
Privileges Required: None
User Interaction: None
Impact: Potential system compromise or data leakage
Affected Products
Escape the Surveillance Era
Most apps won’t tell you the truth.
They’re part of the problem.
Phone numbers. Emails. Profiles. Logs.
It’s all fuel for surveillance.
Ameeba Chat gives you a way out.
- • No phone number
- • No email
- • No personal info
- • Anonymous aliases
- • End-to-end encrypted
Chat without a trace.
Product | Affected Versions
Linksys RE6250 | 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001
Linksys RE6300 | 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001
Linksys RE6350 | 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001
Linksys RE6500 | 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001
Linksys RE7000 | 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001
Linksys RE9000 | 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001
How the Exploit Works
The vulnerability lies in the function “check_port_conflict” of the file “/goform/check_port_conflict”. The manipulation of the argument “single_port_rule/port_range_rule” can lead to a stack-based buffer overflow. Buffer overflow occurs when more data is put into a buffer than it can handle, causing an overflow of data into adjacent storage. This overflow can overwrite other data or cause the executing program to crash, potentially leading to execution of arbitrary code or complete system compromise.
Conceptual Example Code
POST /goform/check_port_conflict HTTP/1.1
Host: target.example.com
Content-Type: application/x-www-form-urlencoded
single_port_rule=1&port_range_rule=%sIn the above example, `%s` represents a string of characters that is longer than what the buffer in the “check_port_conflict” function can handle. This causes a buffer overflow, potentially allowing the attacker to execute arbitrary code or compromise the entire system.
Mitigation Guidance
In the absence of a patch from the vendor, it is recommended to use a Web Application Firewall (WAF) or Intrusion Detection System (IDS) to detect and prevent any attempts to exploit this vulnerability. Monitor network traffic for any unusual activity and ensure that all devices are running the latest firmware version.