CVE-2025-8830
BaseFortify
Publication date: 2025-08-11
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linksys | re6250_firmware | 1.0.04.001 |
| linksys | re6250 | * |
| linksys | re6300_firmware | 1.2.07.001 |
| linksys | re6300 | * |
| linksys | re6350_firmware | 1.0.04.001 |
| linksys | re6350 | * |
| linksys | re7000_firmware | 1.1.05.003 |
| linksys | re7000 | * |
| linksys | re9000_firmware | 1.0.04.002 |
| linksys | re9000 | * |
| linksys | re6500_firmware | 1.0.013.001 |
| linksys | re6500 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-8830 is an OS command injection vulnerability in multiple Linksys range extender models (RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000) up to firmware version 20250801. The flaw exists in the function sub_3517C within the file /goform/setWan, where the 'Hostname' argument is not properly sanitized. This allows an attacker to remotely inject arbitrary operating system commands by manipulating the Hostname parameter, potentially leading to unauthorized command execution on the device. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by compromising the confidentiality, integrity, and availability of the affected devices. Since the vulnerability allows remote attackers to execute arbitrary OS commands without authentication, attackers could take control of the device, disrupt its operation, or use it as a foothold for further attacks within your network. There are no known mitigations or patches, and the vendor has not responded, so affected devices may need to be replaced to mitigate risk. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring network traffic for suspicious requests to the /goform/setWan endpoint containing unusual or malformed Hostname parameters that may indicate command injection attempts. Since the exploit involves OS command injection via the Hostname argument, you can use network traffic inspection tools or web proxy logs to identify such patterns. Specific commands to detect exploitation attempts are not provided in the resources. However, monitoring HTTP POST requests to /goform/setWan with Hostname parameters containing shell metacharacters (e.g., ;, &, |) could help identify attempts. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include replacing the affected Linksys devices with non-vulnerable models or removing them from the network, as no patches or vendor mitigations are available. Network-level protections such as blocking access to the /goform/setWan endpoint from untrusted networks and implementing strict firewall rules may reduce exposure. Since the vendor has not responded or provided patches, and no known countermeasures exist, device replacement is the recommended action. [1]