CVE Alert: CVE-2025-9526 – Linksys – E1700
CVE-2025-9526
A vulnerability has been found in Linksys E1700 1.0.0.4.003. Affected by this issue is the function setSysAdm of the file /goform/setSysAdm. Such manipulation of the argument rm_port leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AI Summary Analysis
Risk verdict
High risk of remote code execution with public exploit details; treat as a priority given easy remote triggering and high impact.
Why this matters
The vulnerability enables a remote attacker to overflow a stack via a management interface, potentially taking control of the device and compromising networks behind it. With no user interaction required and public PoC, exposed devices could be weaponised for further network access, data exfiltration, or pivoting to connected hosts.
Most likely attack path
An attacker needs network access to the device’s management surface and can exploit without user action, thanks to low complexity and no UI interaction. Privilege requirements are low (PR:L), but exploitation yields full impact on the device (C/H, I/H, A/H); successful compromise could enable persistent access and lateral movement to connected devices within the local network.
Who is most exposed
Home and small business deployments with internet-facing or poorly restricted admin interfaces are most at risk, particularly devices lacking recent firmware or effective network segmentation.
Detection ideas
- Unexplained router reboots or crashes and memory-related error logs.
- Unusual spikes or patterns in management-interface traffic, especially to /goform/setSysAdm or rm_port-related requests.
- Remote admin access attempts from unauthorised IPs or frequency of management POST requests without authentication prompts.
- Logs showing stack traces or kernel/user-space crashes related to the management process.
- PoC indicators in network traffic or host indicators correlating with public exploit activity.
Mitigation and prioritisation
- Apply the vendor’s patched firmware or upgrade to the latest supported version; if unavailable, tighten controls on remote management (disable internet exposure, require VPN, or restrict by trusted IPs).
- Disable or limit remote admin access; enable strong access controls and logging.
- Implement network segmentation for IoT/edge devices; monitor for anomalous admin activity and device reboots.
- Verify configurations and perform a controlled patch validation in a lab prior to broader rollout.
- If KEV or EPSS data become available (true or ≥0.5), escalate to priority 1 and adjust downtime planning accordingly.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
