CVE-2025-8821 in RE6250
Summary
by MITRE • 08/11/2025
A vulnerability was identified in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 up to 20250801. This issue affects the function RP_setBasic of the file /goform/RP_setBasic. The manipulation of the argument bssid leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 09/04/2025
This vulnerability resides within the Linksys router firmware ecosystem affecting multiple models including RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 devices. The flaw manifests in the RP_setBasic function located within the /goform/RP_setBasic file path, representing a critical security weakness that allows for remote code execution through improper input validation. The vulnerability specifically targets the bssid argument parameter, which when manipulated enables attackers to inject operating system commands directly into the router's execution environment. This represents a classic command injection vulnerability that falls under the CWE-77 category, specifically CWE-78 which focuses on OS Command Injection.
The attack vector for this vulnerability is entirely remote, meaning that an attacker does not require physical access to the device or local network presence to exploit the flaw. This remote exploit capability significantly amplifies the threat landscape as it allows for widespread compromise from any location with network connectivity. The vulnerability has been publicly disclosed and is actively being used in the wild, indicating that threat actors have already developed working exploits against these devices. The lack of vendor response to early disclosure attempts suggests either limited resources for patch development or potentially delayed acknowledgment of the severity of the issue, leaving users exposed for extended periods.
The operational impact of this vulnerability is severe and multifaceted across network security infrastructure. Successful exploitation allows attackers to execute arbitrary commands on the affected routers, potentially enabling full system compromise, data exfiltration, network reconnaissance, and the establishment of persistent backdoors. This vulnerability directly impacts the CIA triad by compromising confidentiality through potential data access, integrity through possible system modification, and availability through potential denial of service conditions. The attack surface extends beyond individual device compromise to potentially enable lateral movement within networks, as routers often serve as central points of network access and control.
Mitigation strategies should focus on immediate network isolation of affected devices while vendor patches are developed and deployed. Network administrators should implement network segmentation and monitoring to detect suspicious command execution patterns. The use of intrusion detection systems with signature-based detection for known exploit patterns should be prioritized. Additionally, implementing network access controls and disabling unnecessary services can reduce the attack surface. This vulnerability aligns with ATT&CK technique T1059.001 for Command and Scripting Interpreter and T1071.004 for Application Layer Protocol: DNS, as attackers may use these compromised devices for command execution and data exfiltration through DNS tunneling. Organizations should also consider implementing network-wide vulnerability scanning and penetration testing to identify additional affected devices and ensure comprehensive remediation across their infrastructure.