CVE-2025-9245 – A stack-based buffer overflow vulnerability in ... (How to Fix)

Q: What is the severity of CVE-2025-9245?

CVE-2025-9245 has a CVSS score of 8.8 (HIGH). A stack-based buffer overflow vulnerability in Linksys WiFi range extenders allows remote attackers to execute arbitrary code by manipulating the SSID parameter in the WPSSTAPINEnr function. This affects multiple RE series models running vulnerable firmware versions. Remote exploitation is possible without authentication.

📋 TL;DR

A stack-based buffer overflow vulnerability in Linksys WiFi range extenders allows remote attackers to execute arbitrary code by manipulating the SSID parameter in the WPSSTAPINEnr function. This affects multiple RE series models running vulnerable firmware versions. Remote exploitation is possible without authentication.

💻 Affected Systems

Products:

Linksys RE6250
Linksys RE6300
Linksys RE6350
Linksys RE6500
Linksys RE7000
Linksys RE9000

Versions: 1.0.013.001, 1.0.04.001, 1.0.04.002, 1.1.05.003, 1.2.07.001

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All devices running affected firmware versions are vulnerable by default. The vulnerable endpoint /goform/WPSSTAPINEnr is accessible via web interface.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, lateral movement to connected networks, and persistent backdoor installation.

🟠

Likely Case

Device crash/reboot (DoS) or limited code execution to modify device settings, intercept network traffic, or join botnets.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict inbound filtering and network segmentation.

🌐 Internet-Facing: HIGH - Remote exploitation possible without authentication, public exploit available, and many devices directly internet-accessible.

🏢 Internal Only: MEDIUM - Still exploitable from internal networks, but requires attacker foothold on local network.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code exists on GitHub. Remote exploitation requires no authentication. The vulnerability is in a web form handler accessible via HTTP requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.linksys.com/

Restart Required: Yes

Instructions:

1. Check Linksys website for firmware updates. 2. If update available, download and install via web interface. 3. Reboot device after update. Note: As of analysis, vendor has not responded or released patches.

🔧 Temporary Workarounds

Disable WPS and web administration

all

Disable WPS functionality and restrict web administration access to reduce attack surface

Network segmentation and firewall rules

all

Isolate range extenders on separate VLANs and block external access to management interfaces

🧯 If You Can't Patch

Replace vulnerable devices with patched or different models
Implement strict network segmentation to isolate range extenders from critical assets

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via web interface at http://[device-ip]/ or using admin interface. Compare against affected versions.

Check Version:

curl -s http://[device-ip]/ | grep -i firmware || Check web interface manually

Verify Fix Applied:

Verify firmware version has been updated to a version not listed in affected versions. Test if /goform/WPSSTAPINEnr endpoint still responds.

📡 Detection & Monitoring

Log Indicators:

Multiple POST requests to /goform/WPSSTAPINEnr
Unusually long SSID parameter values in web logs
Device reboot/crash logs

Network Indicators:

HTTP POST requests to /goform/WPSSTAPINEnr with oversized SSID parameters
Unexpected outbound connections from range extenders

SIEM Query:

source="web_logs" AND uri="/goform/WPSSTAPINEnr" AND (param_length(ssid) > 100 OR status_code=500)

📊 Metadata

CVE ID: CVE-2025-9245

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-119

EPSS Score: 0.26% exploit probability (49.1th percentile)

Published: August 20, 2025

Last Updated: September 2, 2025

🔗 References

https://github.com/wudipjq/my_vuln/blob/main/Linksys/vuln_14/14.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.320776 Permissions Required
https://vuldb.com/?id.320776 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.631518 Third Party Advisory,VDB Entry
https://www.linksys.com/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-9245, you might also want to check these: