CVE-2025-9244
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-20

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security vulnerability has been detected in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. This vulnerability affects the function addStaticRoute of the file /goform/addStaticRoute. Such manipulation of the argument staticRoute_IP_setting/staticRoute_Netmask_setting/staticRoute_Gateway_setting/staticRoute_Metric_setting/staticRoute_destType_setting leads to os command injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-20
Last Modified
2026-04-29
Generated
2026-05-06
AI Q&A
2025-08-20
EPSS Evaluated
2026-05-05
NVD
CVE-2025-9244
EUVD
EUVD-2025-25398
Affected Vendors & Products
Showing 12 associated CPEs
Vendor Product Version / Range
linksys re6250_firmware 1.0.04.001
linksys re6250 *
linksys re6300_firmware 1.2.07.001
linksys re6300 *
linksys re6350_firmware 1.0.04.001
linksys re6350 *
linksys re7000_firmware 1.1.05.003
linksys re7000 *
linksys re9000_firmware 1.0.04.002
linksys re9000 *
linksys re6500_firmware 1.0.013.001
linksys re6500 *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in certain Linksys range extenders where the addStaticRoute function improperly handles input parameters related to static routing settings. Specifically, manipulation of arguments such as staticRoute_IP_setting, staticRoute_Netmask_setting, staticRoute_Gateway_setting, staticRoute_Metric_setting, and staticRoute_destType_setting can lead to operating system command injection. This means an attacker can remotely execute arbitrary commands on the device.


How can this vulnerability impact me? :

If exploited, this vulnerability allows a remote attacker to execute arbitrary operating system commands on the affected device. This can lead to unauthorized control over the device, potential disruption of network services, data interception or modification, and could serve as a foothold for further attacks within the network.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart