CVE Alert: CVE-2025-9392 – Linksys – RE6250
CVE-2025-9392
A security vulnerability has been detected in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. This affects the function qosClassifier of the file /goform/qosClassifier. Such manipulation of the argument dir/sFromPort/sToPort/dFromPort/dToPort/protocol/layer7/dscp/remark_dscp leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AI Summary Analysis
Risk verdict
High risk with a publicly disclosed exploit enabling remote code execution on affected Linksys routers; urgency is warranted given weaponisation potential.
Why this matters
Successful exploitation could allow an attacker to take control of the router, persist within the network, and pivot to connected hosts or other devices. The impact on confidentiality, integrity and availability is severe, with attacker capability to disrupt services or exfiltrate data from unsecured networks.
Most likely attack path
Remote attacker can trigger a stack-based overflow via the qosClassifier component without user interaction, after presenting crafted traffic. Privilege requirements are low and the attack scales across devices in scope, making lateral movement plausible within a local network or exposed segment. The same-scope nature of the vulnerability raises the risk of broader device compromise without needing administrator credentials.
Who is most exposed
Commonly deployed in homes and small offices, these Linksys models are often on networks where IoT and user devices rely on the router for QoS and routing. Exposure increases if devices are reachable from other network segments or Internet-facing management is enabled.
Detection ideas
- Unexpected reboots/crashes of the qosClassifier service or firmware component.
- Logs showing anomalous /goform/qosClassifier input parameters (dir/sFromPort/sToPort/dFromPort/dToPort/protocol/layer7/dscp/remark_dscp).
- Unusual traffic patterns or spikes coinciding with QoS classifier requests.
- Memory corruption indicators or crash dumps tied to QoS processing.
Mitigation and prioritisation
- Patch devices with the latest firmware addressing this vulnerability; apply vendor advisories promptly.
- Disable or restrict QoS classifier exposure where possible; limit management interfaces to trusted networks; enforce firewall rules to prevent remote access to vulnerable services.
- Implement network segmentation and device hardening for the affected models; schedule bulk updates and verify patch status.
- If patches are delayed, deploy compensating controls and monitor for exploitation indicators; update change-management plans accordingly.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
