CVE-2025-9392
📋 TL;DR
A stack-based buffer overflow vulnerability in Linksys RE series range extenders allows remote attackers to execute arbitrary code by sending specially crafted requests to the qosClassifier function. This affects multiple RE model devices running vulnerable firmware versions. Attackers can exploit this without authentication to potentially take full control of affected devices.
💻 Affected Systems
- Linksys RE6250
- Linksys RE6300
- Linksys RE6350
- Linksys RE6500
- Linksys RE7000
- Linksys RE9000
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete device compromise, creation of persistent backdoors, lateral movement to other network devices, and data exfiltration.
Likely Case
Device takeover enabling attackers to intercept network traffic, modify device settings, use device as pivot point for further attacks, or join botnets.
If Mitigated
Limited impact if devices are behind firewalls with strict inbound filtering, though internal network compromise remains possible.
🎯 Exploit Status
Public proof-of-concept available on GitHub. Exploitation requires sending crafted HTTP POST requests to /goform/qosClassifier with manipulated parameters.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: Yes
Instructions:
No official patch available. Monitor Linksys security advisories for firmware updates. If update becomes available: 1. Download firmware from Linksys support site 2. Access device web interface 3. Navigate to firmware update section 4. Upload and apply new firmware 5. Reboot device
🔧 Temporary Workarounds
Network Segmentation and Access Control
allIsolate range extenders on separate VLANs and restrict access to management interfaces
Firewall Rules
allBlock external access to device web interfaces and restrict internal access to trusted IPs only
🧯 If You Can't Patch
- Replace affected devices with models not impacted by this vulnerability
- Disable QoS functionality if possible through device configuration
🔍 How to Verify
Check if Vulnerable:
Check device firmware version via web interface: Settings > Administration > Firmware Update. Compare version against affected list.Check Version:
No CLI command available. Use web interface or check device label for firmware version.Verify Fix Applied:
Verify firmware version has been updated to a version not listed in affected versions. Test by attempting to access /goform/qosClassifier with monitoring for crash behavior.📡 Detection & Monitoring
Log Indicators:
- Multiple POST requests to /goform/qosClassifier with unusual parameter values
- Device crash/reboot logs
- Unusual outbound connections from range extender
Network Indicators:
- HTTP POST requests to /goform/qosClassifier with manipulated dir/sFromPort/sToPort/dFromPort/dToPort/protocol/layer7/dscp/remark_dscp parameters
- Sudden device reboots
SIEM Query:
http.method:POST AND http.uri:"/goform/qosClassifier" AND (http.param:* OR http.body:*qosClassifier*)🔗 References
- https://github.com/wudipjq/my_vuln/blob/main/Linksys/vuln_32/32.md
- https://github.com/wudipjq/my_vuln/blob/main/Linksys/vuln_32/32.md#poc
- https://vuldb.com/?ctiid.321225
- https://vuldb.com/?id.321225
- https://vuldb.com/?submit.631537
- https://www.linksys.com/
- https://github.com/wudipjq/my_vuln/blob/main/Linksys/vuln_32/32.md
- https://github.com/wudipjq/my_vuln/blob/main/Linksys/vuln_32/32.md#poc
