CVE-2025-8818
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-10

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 up to 20250801. Affected by this issue is the function setDFSSetting of the file /goform/setLan. The manipulation of the argument lanNetmask/lanIp leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-10
Last Modified
2026-04-29
Generated
2026-05-27
AI Q&A
2025-08-11
EPSS Evaluated
2026-05-25
NVD
CVE-2025-8818
EUVD
EUVD-2025-24100
Affected Vendors & Products
Showing 12 associated CPEs
Vendor Product Version / Range
linksys re6250_firmware 1.0.04.001
linksys re6250 *
linksys re6300_firmware 1.2.07.001
linksys re6300 *
linksys re6350_firmware 1.0.04.001
linksys re6350 *
linksys re7000_firmware 1.1.05.003
linksys re7000 *
linksys re9000_firmware 1.0.04.002
linksys re9000 *
linksys re6500_firmware 1.0.013.001
linksys re6500 *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in certain Linksys range extender models (RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000) up to the date 2025-08-01. It affects the setDFSSetting function in the /goform/setLan file, where manipulation of the lanNetmask or lanIp arguments can lead to operating system command injection. This means an attacker can remotely execute arbitrary OS commands on the device.


How can this vulnerability impact me? :

The vulnerability allows a remote attacker to execute arbitrary operating system commands on affected Linksys devices. This can lead to unauthorized control over the device, potentially compromising network security, disrupting device functionality, or enabling further attacks within the network.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart