CVE-2025-8828
BaseFortify
Publication date: 2025-08-11
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linksys | re6250_firmware | 1.0.04.001 |
| linksys | re6250 | * |
| linksys | re6300_firmware | 1.2.07.001 |
| linksys | re6300 | * |
| linksys | re6350_firmware | 1.0.04.001 |
| linksys | re6350 | * |
| linksys | re7000_firmware | 1.1.05.003 |
| linksys | re7000 | * |
| linksys | re9000_firmware | 1.0.04.002 |
| linksys | re9000 | * |
| linksys | re6500_firmware | 1.0.013.001 |
| linksys | re6500 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include replacing affected Linksys devices with non-vulnerable models or firmware, as no patches or vendor responses are available. Network administrators should restrict access to the vulnerable devices, especially blocking remote access to the /goform/setIpv6 endpoint. Implement network-level controls such as firewall rules to limit exposure. Monitoring for exploitation attempts and isolating affected devices can reduce risk. Since no known mitigations or patches exist, device replacement is the recommended action. [2]
Can you explain this vulnerability to me?
CVE-2025-8828 is an OS command injection vulnerability in multiple Linksys router models (RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000) affecting the ipv6cmd function in the /goform/setIpv6 endpoint. It occurs because various IPv6-related parameters are passed from user input directly into operating system commands without proper sanitization, allowing remote attackers to inject and execute arbitrary OS commands by crafting malicious requests. [1, 2]
How can this vulnerability impact me? :
This vulnerability allows remote attackers to execute arbitrary operating system commands on affected devices, potentially leading to full system compromise. This can impact the confidentiality, integrity, and availability of the device and network, enabling attackers to take control, disrupt services, or steal sensitive information. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring network traffic for suspicious HTTP requests targeting the /goform/setIpv6 endpoint on affected Linksys devices (RE6250, RE6300, RE6350, RE6500, RE7000, RE9000). Specifically, look for requests containing the ipv6cmd parameter with unusual or suspicious values in IPv6-related parameters such as Ipv6PriDns, Ipv6SecDns, Ipv6StaticGateway, LanIpv6Addr, LanPrefixLen, pppoeUser, pppoePass, and others listed. Commands like 'tcpdump' or 'Wireshark' can be used to capture and filter HTTP POST requests to /goform/setIpv6. For example, using tcpdump: tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' and then searching for /goform/setIpv6 in the payload. Additionally, checking device logs for unexpected command executions or anomalies may help. However, no specific detection commands or signatures are provided in the resources. [1, 2]