CVE-2025-8816
BaseFortify
Publication date: 2025-08-10
Last updated on: 2025-09-04
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linksys | re6250_firmware | 1.0.04.001 |
| linksys | re6250 | * |
| linksys | re6300_firmware | 1.2.07.001 |
| linksys | re6300 | * |
| linksys | re6350_firmware | 1.0.04.001 |
| linksys | re6350 | * |
| linksys | re7000_firmware | 1.1.05.003 |
| linksys | re7000 | * |
| linksys | re9000_firmware | 1.0.04.002 |
| linksys | re9000 | * |
| linksys | re6500_firmware | 1.0.013.001 |
| linksys | re6500 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-8816 is a stack-based buffer overflow vulnerability found in multiple Linksys range extender models (RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000) up to firmware version 20250801. The flaw exists in the setOpMode function, specifically in the handling of the 'ethConv' parameter. An attacker can send a crafted input with an excessively long 'ethConv' argument, causing a stack overflow. This can lead to remote code execution or crashing the device without requiring authentication. [1, 2]
How can this vulnerability impact me? :
This vulnerability can severely impact affected devices by allowing remote attackers to compromise confidentiality, integrity, and availability. Attackers can crash the device or potentially execute arbitrary code remotely, leading to device takeover or denial of service. Since no authentication is required and exploits are publicly available, the risk is high. There are no known mitigations, and replacement of affected devices is recommended. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can involve monitoring for unusual or malformed HTTP requests targeting the /goform/setOpMode endpoint with an abnormally long or crafted ethConv parameter, which may indicate exploitation attempts. Since the vulnerability is a stack-based buffer overflow triggered by the ethConv argument, inspecting HTTP traffic to this endpoint for suspicious payloads is recommended. Specific commands depend on your environment, but using tools like curl or wget to test the endpoint with crafted inputs, or network monitoring tools (e.g., tcpdump, Wireshark) to capture and analyze traffic for such requests, can help detect attempts. For example, a curl command to test might be: curl -X POST http://<router-ip>/goform/setOpMode -d "ethConv=$(python3 -c 'print("A"*1000)')". However, no official detection scripts or signatures are provided. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
There are no known patches or vendor-provided mitigations for this vulnerability as the vendor did not respond. Immediate mitigation steps include replacing affected Linksys devices (RE6250, RE6300, RE6350, RE6500, RE7000, RE9000 with firmware up to 20250801) with alternative hardware not vulnerable to this issue. Additionally, restricting remote access to the affected devices, disabling remote management if possible, and monitoring network traffic for exploitation attempts can reduce risk until replacement is possible. [2]