CVE-2025-8825
BaseFortify
Publication date: 2025-08-11
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linksys | re6250_firmware | 1.0.04.001 |
| linksys | re6250 | * |
| linksys | re6300_firmware | 1.2.07.001 |
| linksys | re6300 | * |
| linksys | re6350_firmware | 1.0.04.001 |
| linksys | re6350 | * |
| linksys | re7000_firmware | 1.1.05.003 |
| linksys | re7000 | * |
| linksys | re9000_firmware | 1.0.04.002 |
| linksys | re9000 | * |
| linksys | re6500_firmware | 1.0.013.001 |
| linksys | re6500 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-8825 is an OS command injection vulnerability in multiple Linksys range extender models (RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000). It occurs in the RP_setBasicAuto function at the /goform/RP_setBasicAuto endpoint, where the staticIp and staticNetmask parameters are not properly sanitized. This allows a remote attacker to inject and execute arbitrary operating system commands on the affected device without needing local access. [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized remote execution of arbitrary OS commands on affected Linksys devices, compromising the confidentiality, integrity, and availability of the device. An attacker could potentially take control of the device, disrupt its operation, or use it as a foothold for further attacks within the network. The exploit is easy to perform and publicly available, increasing the risk of exploitation. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious or unexpected requests to the endpoint /goform/RP_setBasicAuto, especially those containing the parameters staticIp or staticNetmask with unusual or command injection payloads. Network intrusion detection systems (NIDS) can be configured to alert on HTTP requests targeting this endpoint with suspicious input patterns. Additionally, checking device logs for unexpected command executions or anomalies related to the RP_setBasicAuto function may help. Specific commands to detect exploitation attempts are not provided in the resources. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include replacing affected Linksys devices (RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 with firmware up to 20250801) with alternative products, as no vendor patches or fixes are currently available. It is also advisable to restrict remote access to these devices, disable any unnecessary remote management features, and monitor network traffic for exploitation attempts. Since no known mitigations or countermeasures exist, minimizing exposure and device replacement are the recommended actions. [2]