CVE-2025-9575
📋 TL;DR
This CVE describes a remote command injection vulnerability in multiple Linksys RE-series Wi-Fi range extender models. Attackers can execute arbitrary operating system commands by manipulating the filename parameter in the upload.cgi endpoint. All devices running the affected firmware versions are vulnerable to remote exploitation.
💻 Affected Systems
- Linksys RE6250
- Linksys RE6300
- Linksys RE6350
- Linksys RE6500
- Linksys RE7000
- Linksys RE9000
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise allowing attacker to install persistent backdoors, pivot to internal networks, or use device as part of botnet.
Likely Case
Remote code execution leading to device takeover, credential theft, or denial of service.
If Mitigated
No impact if device is isolated from untrusted networks or firmware is patched.
🎯 Exploit Status
Public proof-of-concept exists on GitHub, making exploitation trivial for attackers with network access to device.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: Yes
Instructions:
No official patch available. Vendor did not respond to disclosure. Consider replacing devices or implementing network controls.
🔧 Temporary Workarounds
Network Segmentation
allIsolate affected devices from untrusted networks and restrict access to management interfaces.
Access Control Lists
linuxImplement firewall rules to block external access to port 80/443 on affected devices.
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Remove affected devices from production networks entirely
- Replace with different models or brands that receive security updates
🔍 How to Verify
Check if Vulnerable:
Check device firmware version via web interface at http://device-ip/ or using nmap scan for device identification.Check Version:
curl -s http://device-ip/ | grep -i firmware || Connect to web interface manuallyVerify Fix Applied:
No fix available to verify. Only verification is device replacement or complete network isolation.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /cgi-bin/upload.cgi with shell metacharacters in parameters
- Unexpected process execution from web server context
Network Indicators:
- HTTP requests to /cgi-bin/upload.cgi with suspicious filename parameters containing semicolons, pipes, or backticks
SIEM Query:
source="web_logs" AND uri="/cgi-bin/upload.cgi" AND (filename="*;*" OR filename="*|*" OR filename="*`*")🔗 References
- https://github.com/wudipjq/my_vuln/blob/main/Linksys/vuln_13/13.md
- https://github.com/wudipjq/my_vuln/blob/main/Linksys/vuln_13/13.md#poc
- https://vuldb.com/?ctiid.321689
- https://vuldb.com/?id.321689
- https://vuldb.com/?submit.634840
- https://www.linksys.com/
- https://github.com/wudipjq/my_vuln/blob/main/Linksys/vuln_13/13.md
- https://github.com/wudipjq/my_vuln/blob/main/Linksys/vuln_13/13.md#poc
