CVE-2025-5445 in RE6500
Summary
by MITRE • 06/02/2025
A vulnerability was found in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001 and classified as critical. Affected by this issue is the function RP_checkFWByBBS of the file /goform/RP_checkFWByBBS. The manipulation of the argument type/ch/ssidhex/security/extch/pwd/mode/ip/nm/gw leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/11/2025
This critical vulnerability exists in multiple Linksys router models including RE6500, RE6250, RE6300, RE6350, RE7000, and RE9000 firmware versions 1.0.013.001 through 1.2.07.001. The flaw resides in the RP_checkFWByBBS function within the /goform/RP_checkFWByBBS file, representing a classic os command injection vulnerability that allows remote attackers to execute arbitrary commands on affected devices. The vulnerability is triggered through manipulation of multiple parameters including type/ch/ssidhex/security/extch/pwd/mode/ip/nm/gw which are processed without proper input validation or sanitization, creating a direct pathway for command execution. This issue falls under CWE-78, which specifically addresses OS Command Injection, and aligns with ATT&CK technique T1059.001 for Command and Scripting Interpreter. The remote exploitation capability means attackers can leverage this vulnerability from outside the network without requiring physical access or local credentials, making it particularly dangerous for enterprise and home network environments.
The operational impact of this vulnerability extends beyond simple command execution to potentially compromise entire network infrastructures. An attacker who successfully exploits this vulnerability could gain full administrative control over the affected routers, enabling them to modify network configurations, redirect traffic through malicious servers, establish persistent backdoors, or use the compromised devices as launching points for further attacks against internal networks. The exposure of multiple parameter fields creates numerous potential attack vectors, as each parameter could be manipulated to inject malicious commands. This vulnerability directly affects the router's firmware update mechanism, which is typically a critical system function requiring high security controls. The fact that the exploit has been publicly disclosed and is actively being used indicates that threat actors have already begun targeting these devices, potentially leading to widespread compromise of affected networks. The lack of vendor response despite early disclosure suggests either delayed patch development or inadequate security response protocols within the vendor's vulnerability management process.
Mitigation strategies should focus on immediate network isolation and firmware updates where available. Organizations should implement network segmentation to limit the impact of potential compromise, disable unnecessary services, and monitor for unusual network traffic patterns that might indicate exploitation attempts. The most effective immediate protection involves disabling remote management capabilities and ensuring that only trusted devices can access the router's administrative interface through local network connections. Network administrators should also consider implementing intrusion detection systems that can identify command injection attempts targeting the specific vulnerable endpoint. For long-term security, vendors should establish robust vulnerability disclosure and patch management processes, while organizations should maintain current firmware versions and regularly audit their network device configurations. The vulnerability demonstrates the critical importance of input validation in web application interfaces and the necessity of following secure coding practices to prevent command injection attacks. Given the critical severity classification and active exploitation, immediate action is required to protect affected networks from potential compromise.