CVE-2025-8829
BaseFortify
Publication date: 2025-08-11
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linksys | re6250_firmware | 1.0.04.001 |
| linksys | re6250 | * |
| linksys | re6300_firmware | 1.2.07.001 |
| linksys | re6300 | * |
| linksys | re6350_firmware | 1.0.04.001 |
| linksys | re6350 | * |
| linksys | re7000_firmware | 1.1.05.003 |
| linksys | re7000 | * |
| linksys | re9000_firmware | 1.0.04.002 |
| linksys | re9000 | * |
| linksys | re6500_firmware | 1.0.013.001 |
| linksys | re6500 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-8829 is an OS command injection vulnerability in multiple Linksys range extender models (RE6250, RE6300, RE6350, RE6500, RE7000, RE9000) up to firmware version 20250801. The vulnerability exists in the function um_red within the file /goform/RP_setBasicAuto, where the hname argument is not properly sanitized. This allows a remote attacker to inject and execute arbitrary operating system commands on the device by sending crafted requests, potentially compromising the device's confidentiality, integrity, and availability. [1, 2]
How can this vulnerability impact me? :
This vulnerability allows remote attackers to execute arbitrary OS commands on affected Linksys devices without authentication. This can lead to unauthorized control over the device, potentially resulting in data compromise, disruption of network services, or further attacks on connected systems. Since the exploit is publicly available and easy to perform, affected devices are at significant risk. No vendor patches or mitigations are currently available, increasing the likelihood of exploitation. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring network traffic for HTTP requests targeting the endpoint /goform/RP_setBasicAuto with the parameter hname containing suspicious or command injection payloads. You can use tools like curl or wget to test the endpoint manually by sending crafted requests with various payloads in the hname parameter to see if command injection is possible. For example, a command like: curl -X POST 'http://<device-ip>/goform/RP_setBasicAuto' -d 'hname=;id' could be used to test if the device executes the injected command. Additionally, network intrusion detection systems (NIDS) can be configured to alert on such suspicious POST requests to this endpoint with unusual parameter values. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include discontinuing use of the affected Linksys range extender models or isolating them from the network to prevent remote exploitation, as no patches or vendor mitigations are currently available. Replace the vulnerable devices with alternative products not affected by this vulnerability. Additionally, restrict network access to the devices' management interfaces, implement firewall rules to block unauthorized access to the /goform/RP_setBasicAuto endpoint, and monitor for suspicious activity. Since the vulnerability allows remote command execution, minimizing exposure is critical until a patch or fix is provided. [1]