CVE Alert: CVE-2025-9393 – Linksys – RE6250
CVE-2025-9393
A vulnerability was detected in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. This vulnerability affects the function addStaProfile of the file /goform/addStaProfile. Performing manipulation of the argument profile_name/Ssid/wep_key_1/wep_key_2/wep_key_3/wep_key_4/wep_key_length/wep_default_key/cipher/passphrase results in stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AI Summary Analysis
Risk verdict
High risk: a publicly disclosed, network-exposed stack-based overflow allows remote code execution on the affected Linksys RE6250/RE6300/RE6350/RE6500/RE7000/RE9000 devices.
Why this matters
Successful exploitation gives an attacker full control of the router, enabling firmware compromise, traffic interception, or use as a foothold for accessing connected devices. The high impact on confidentiality, integrity and availability raises business risk, including service disruption and potential data exposure.
Most likely attack path
Exploitation can occur over the network with no user interaction (AV:N, UI:N) and requires only low privileges (PR:L), enabling remote delivery of the payload via crafted requests to /goform/addStaProfile. With Scope unchanged (S:U), the attacker would compromise the device itself; once foothold is established, further access to devices on the LAN is plausible, subject to device controls and network topology.
Who is most exposed
Edge deployments in homes and small businesses using these Linksys models are most at risk, particularly where management interfaces are reachable from LAN or WLAN segments or where devices sit directly at the network perimeter.
Detection ideas
- Sudden router reboots or memory/stack crash events in logs
- Unusual activity to /goform/addStaProfile or related configuration endpoints
- Crafting attempts that resemble buffer-overflow payload patterns
- IOCs from public PoC disclosures or yours/third-party monitoring feeds
- Abrupt changes in device stability or unexpected configuration changes
Mitigation and prioritisation
- Apply firmware updates from Linksys as a priority when released; verify remediation coverage for all affected models
- If patches are unavailable, isolate or segment affected devices from sensitive networks; disable or tightly restrict remote management
- Implement strict ACLs and network segmentation to limit exposure to the management interface
- Monitor for exploit attempts and device instability signals; collect IOCs from advisories and vendor advisories
- Update change-management processes to include urgent patch testing for edge devices; reassess priority if exploitation appears active in your environment
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
