CVE-2025-9392
BaseFortify
Publication date: 2025-08-24
Last updated on: 2025-09-02
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linksys | re6250_firmware | 1.0.04.001 |
| linksys | re6250 | * |
| linksys | re6300_firmware | 1.2.07.001 |
| linksys | re6300 | * |
| linksys | re6350_firmware | 1.0.04.001 |
| linksys | re6350 | * |
| linksys | re7000_firmware | 1.1.05.003 |
| linksys | re7000 | * |
| linksys | re9000_firmware | 1.0.04.002 |
| linksys | re9000 | * |
| linksys | re6500_firmware | 1.0.013.001 |
| linksys | re6500 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-9392 is a stack-based buffer overflow vulnerability in multiple Linksys range extender models (RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000). It exists in the function qosClassifier within the /goform/qosClassifier endpoint. Attackers can manipulate several input parameters (dir, sFromPort, sToPort, dFromPort, dToPort, protocol, layer7, dscp, remark_dscp) without proper length validation, causing a stack overflow. This can lead to crashing the router's server or potentially executing arbitrary code remotely. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing a remote attacker to crash your Linksys router or range extender, causing denial of service. More critically, the attacker may execute arbitrary code on the device, compromising its confidentiality, integrity, and availability. This means your device could be controlled or manipulated by an attacker without your permission. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring network traffic or HTTP requests targeting the /goform/qosClassifier endpoint on affected Linksys devices. Specifically, look for requests manipulating parameters such as dir, sFromPort, sToPort, dFromPort, dToPort, protocol, layer7, dscp, and remark_dscp with unusually long or malformed values that could trigger a stack-based buffer overflow. Commands to detect this might include using network packet capture tools like tcpdump or Wireshark to filter HTTP POST requests to /goform/qosClassifier, for example: tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' and then inspecting for suspicious payloads. Additionally, using curl or wget to test the endpoint with crafted parameters can help verify vulnerability presence. However, no specific detection commands are provided in the resources. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include discontinuing use of the affected Linksys range extender models (RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000) with vulnerable firmware versions, as no vendor patches or countermeasures are available. Replace these devices with alternative products not affected by this vulnerability. Additionally, restrict remote access to the devices' management interfaces, especially blocking access to the /goform/qosClassifier endpoint from untrusted networks. Monitoring for exploit attempts and isolating vulnerable devices from critical network segments can also reduce risk. [2]