CVE-2025-8822
BaseFortify
Publication date: 2025-08-11
Last updated on: 2025-09-04
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linksys | re6250_firmware | 1.0.04.001 |
| linksys | re6250 | * |
| linksys | re6300_firmware | 1.2.07.001 |
| linksys | re6300 | * |
| linksys | re6350_firmware | 1.0.04.001 |
| linksys | re6350 | * |
| linksys | re7000_firmware | 1.1.05.003 |
| linksys | re7000 | * |
| linksys | re9000_firmware | 1.0.04.002 |
| linksys | re9000 | * |
| linksys | re6500_firmware | 1.0.013.001 |
| linksys | re6500 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-8822 is a stack-based buffer overflow vulnerability found in multiple Linksys range extender models (RE6250, RE6300, RE6350, RE6500, RE7000, RE9000) up to firmware version 20250801. The flaw exists in the function 'algDisable' accessed via the '/goform/setOpMode' endpoint. An attacker can manipulate the 'opMode' parameter with crafted input that is too long, causing a stack overflow. This can be exploited remotely without authentication to crash the device or potentially execute arbitrary code. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing remote attackers to compromise the confidentiality, integrity, and availability of affected Linksys devices. Attackers can crash the device or execute arbitrary code remotely without any authentication, potentially taking full control of the device. There are no known mitigations or patches, and the vendor has not responded, so affected devices remain at high risk. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring network traffic for requests to the endpoint /goform/setOpMode with suspicious or unusually long opMode parameters, which trigger the stack-based buffer overflow. Since the exploit targets the algDisable function via the opMode argument, inspecting HTTP POST requests to this endpoint for abnormal payload sizes or patterns may help detect exploitation attempts. Specific commands could include using network monitoring tools like tcpdump or Wireshark to filter HTTP traffic to /goform/setOpMode, for example: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' and then searching for 'POST /goform/setOpMode' in the captured data. Additionally, using curl or wget to test the endpoint with crafted opMode parameters can help verify if the device is vulnerable. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
There are no known patches or vendor-provided mitigations for this vulnerability as the vendor has not responded. Immediate mitigation steps include replacing affected Linksys devices (RE6250, RE6300, RE6350, RE6500, RE7000, RE9000 with firmware up to 20250801) with alternative products not affected by this vulnerability. Additionally, restricting network access to the vulnerable devices, especially blocking remote access to the /goform/setOpMode endpoint, can reduce exposure. Monitoring for exploitation attempts and isolating affected devices from untrusted networks are also recommended. [2]