CVE-2025-9575
BaseFortify
Publication date: 2025-08-28
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linksys | re6250_firmware | 1.0.04.001 |
| linksys | re6250 | * |
| linksys | re6300_firmware | 1.2.07.001 |
| linksys | re6300 | * |
| linksys | re6350_firmware | 1.0.04.001 |
| linksys | re6350 | * |
| linksys | re7000_firmware | 1.1.05.003 |
| linksys | re7000 | * |
| linksys | re9000_firmware | 1.0.04.002 |
| linksys | re9000 | * |
| linksys | re6500_firmware | 1.0.013.001 |
| linksys | re6500 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-9575 is an OS command injection vulnerability in multiple Linksys router models. It exists in the cgiMain function of the /cgi-bin/upload.cgi file, where the 'filename' parameter is not properly sanitized. This allows a remote attacker to inject and execute arbitrary operating system commands on the device by manipulating the filename argument in a crafted request. [1, 2]
How can this vulnerability impact me? :
This vulnerability can compromise the confidentiality, integrity, and availability of affected devices. An attacker can remotely execute arbitrary commands without authentication, potentially taking control of the device, disrupting its operation, or accessing sensitive information. Since no patches or mitigations are available, affected devices remain at risk until replaced. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can be performed by monitoring network traffic for suspicious HTTP requests targeting the /cgi-bin/upload.cgi endpoint, specifically those manipulating the 'filename' parameter with unusual or command injection patterns. Since the vulnerability involves OS command injection via the filename argument, commands like curl or wget can be used to test the endpoint with crafted payloads. For example, using curl to send a request with a suspicious filename parameter to see if the device executes commands. Additionally, inspecting logs for unexpected command execution or anomalies related to /cgi-bin/upload.cgi may help detect exploitation attempts. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include replacing affected Linksys devices (RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 with vulnerable firmware versions) with alternatives, as no patches or vendor mitigations are available. Restricting network access to the vulnerable devices, especially blocking remote access to the /cgi-bin/upload.cgi endpoint, can reduce exposure. Monitoring for exploitation attempts and isolating affected devices from critical networks are also recommended. [2]