CVE-2025-8827
BaseFortify
Publication date: 2025-08-11
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linksys | re6250_firmware | 1.0.04.001 |
| linksys | re6250 | * |
| linksys | re6300_firmware | 1.2.07.001 |
| linksys | re6300 | * |
| linksys | re6350_firmware | 1.0.04.001 |
| linksys | re6350 | * |
| linksys | re7000_firmware | 1.1.05.003 |
| linksys | re7000 | * |
| linksys | re9000_firmware | 1.0.04.002 |
| linksys | re9000 | * |
| linksys | re6500_firmware | 1.0.013.001 |
| linksys | re6500 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-8827 is an OS command injection vulnerability in multiple Linksys range extender models (RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000) up to firmware version 20250801. The flaw exists in the function um_inspect_cross_band within the /goform/RP_setBasicAuto endpoint, where the staticGateway parameter is improperly handled. An attacker can remotely send crafted requests that inject arbitrary operating system commands via this parameter, potentially leading to full system compromise. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing a remote attacker to execute arbitrary operating system commands on the affected device without authentication. This can lead to full system compromise, affecting the confidentiality, integrity, and availability of the device. The attacker could potentially control the device, disrupt its operation, or use it as a foothold for further attacks. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can be performed by monitoring network traffic for requests to the endpoint /goform/RP_setBasicAuto containing the parameter staticGateway with suspicious or unusual values that may indicate command injection attempts. Since the vulnerability involves OS command injection via the staticGateway parameter, inspecting HTTP POST requests to this endpoint for abnormal input patterns or payloads is recommended. Specific commands are not provided in the resources, but network traffic inspection tools like tcpdump or Wireshark can be used to capture such requests. Additionally, checking router logs for unexpected commands or behavior may help detect exploitation attempts. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include discontinuing use of the affected Linksys range extender models (RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000) running vulnerable firmware versions up to 20250801, as no vendor patch or mitigation has been provided. Replacement of the affected devices is suggested. Additionally, restricting remote access to the devices and monitoring for suspicious activity can reduce risk until devices are replaced. [2]