CVE-2025-60696 – A stack-based buffer overflow vulnerability in ... (How to Fix)

Q: What is the severity of CVE-2025-60696?

CVE-2025-60696 has a CVSS score of 8.4 (HIGH). A stack-based buffer overflow vulnerability in Linksys RE7000 routers allows local attackers to cause denial of service or potentially execute arbitrary code. The vulnerability exists in the makeRequest.cgi binary's arplookup function when parsing ARP table data. Only users of Linksys RE7000 routers with the specific vulnerable firmware are affected.

📋 TL;DR

A stack-based buffer overflow vulnerability in Linksys RE7000 routers allows local attackers to cause denial of service or potentially execute arbitrary code. The vulnerability exists in the makeRequest.cgi binary's arplookup function when parsing ARP table data. Only users of Linksys RE7000 routers with the specific vulnerable firmware are affected.

💻 Affected Systems

Products:

Linksys RE7000

Versions: Firmware FW_v2.0.15_211230_1012

Operating Systems: Embedded Linux (router firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects this specific firmware version; earlier/later versions may have different code.

📦 What is this software?

Re7000 Firmware by Linksys

View all CVEs affecting Re7000 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains root privileges on the router, enabling persistent backdoor installation, network traffic interception, and lateral movement to connected devices.

🟠

Likely Case

Denial of service causing router crashes and network disruption, with potential for limited code execution in constrained environments.

🟢

If Mitigated

Isolated router with no local access prevents exploitation; network segmentation limits impact to single device.

🌐 Internet-Facing: LOW - Exploitation requires local access to the router's filesystem, not directly reachable from the internet.

🏢 Internal Only: HIGH - Any compromised device on the local network could potentially exploit this vulnerability to attack the router.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access to write to /proc/net/arp, which typically requires some level of system compromise first. Public PoC exists in GitHub repository.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.linksys.com/

Restart Required: Yes

Instructions:

1. Check Linksys website for firmware updates. 2. If update available, download and install via router admin interface. 3. Reboot router after installation.

🔧 Temporary Workarounds

Restrict local access to router

all

Prevent unauthorized local access to router administration and services

Disable CGI execution if not needed

linux

Remove execute permissions from makeRequest.cgi if not required for functionality

chmod -x /path/to/makeRequest.cgi

🧯 If You Can't Patch

Segment network to isolate router from untrusted devices
Implement strict access controls to prevent local compromise of devices that could attack router

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface; if version is FW_v2.0.15_211230_1012, system is vulnerable.

Check Version:

Check router web interface at 192.168.1.1 or use 'cat /proc/version' if you have shell access

Verify Fix Applied:

After firmware update, verify version is different from vulnerable version and test router functionality.

📡 Detection & Monitoring

Log Indicators:

Unusual ARP table modifications
Router crash/restart logs
Failed CGI execution attempts

Network Indicators:

Router becoming unresponsive
ARP table anomalies
Unexpected network traffic from router

SIEM Query:

source="router_logs" AND ("makeRequest.cgi" OR "arplookup" OR "ARP table corruption")

📊 Metadata

CVE ID: CVE-2025-60696

CVSS v3 Score: 8.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-121

EPSS Score: 0.02% exploit probability (4.5th percentile)

Published: November 13, 2025

Last Updated: December 8, 2025

🔗 References

http://linksys.com Product
https://github.com/yifan20020708/SGTaint-0-day/blob/main/Linksys/Linksys-RE700/CVE-2025-60696.md Exploit,Third Party Advisory
https://www.linksys.com/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-60696, you might also want to check these: