CVE-2025-9392 in RE6250
Summary
by MITRE • 08/24/2025
A security vulnerability has been detected in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. This affects the function qosClassifier of the file /goform/qosClassifier. Such manipulation of the argument dir/sFromPort/sToPort/dFromPort/dToPort/protocol/layer7/dscp/remark_dscp leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 09/03/2025
This vulnerability exists within the Linksys router firmware versions 1.0.013.001 through 1.2.07.001 affecting multiple models including RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000. The flaw is located in the qosClassifier function within the /goform/qosClassifier file which handles Quality of Service classification parameters. The vulnerability stems from inadequate input validation and bounds checking when processing user-supplied arguments including dir, sFromPort, sToPort, dFromPort, dToPort, protocol, layer7, dscp, and remark_dscp parameters. These parameters are processed through a stack-based buffer overflow mechanism that occurs when the input data exceeds the allocated buffer space, potentially allowing attackers to overwrite adjacent memory locations.
The technical implementation of this vulnerability aligns with CWE-121 Stack-based Buffer Overflow, which occurs when a program writes data to a buffer located on the stack without proper bounds checking. The attack vector is remote, meaning an attacker can exploit this vulnerability without requiring physical access to the device. This remote exploit capability significantly increases the attack surface and potential impact. The vulnerability is particularly concerning because the exploit has been publicly disclosed and is actively available, removing any element of exploit scarcity that might otherwise limit its proliferation. The lack of vendor response to early disclosure attempts suggests either inadequate security monitoring or delayed remediation processes that leave users exposed to potential exploitation.
The operational impact of this vulnerability is substantial as it provides attackers with potential remote code execution capabilities on affected routers. Successful exploitation could enable attackers to gain administrative control over the affected devices, potentially leading to complete network compromise. The compromised router could then be used as a pivot point for attacks against internal network systems, or attackers could use it to establish persistent access to the network. Additionally, the vulnerability could be leveraged to modify Quality of Service settings, potentially disrupting network traffic or creating denial of service conditions. The stack-based buffer overflow could also result in system crashes or unpredictable behavior that would impact network connectivity and stability. This vulnerability directly maps to attack techniques described in the MITRE ATT&CK framework under T1059 Command and Control and T1068 Exploitation for Privilege Escalation, where attackers can leverage such vulnerabilities to establish persistent access and control over network infrastructure.
The recommended mitigations include immediate firmware updates from Linksys if available, network segmentation to limit access to affected devices, and implementing network monitoring to detect anomalous traffic patterns that might indicate exploitation attempts. Organizations should also consider disabling unnecessary services and ports, implementing firewall rules to restrict access to the affected router management interfaces, and conducting thorough network scans to identify potentially compromised devices. Given the public availability of the exploit and the vendor's lack of response, proactive network defense measures are critical. Users should also consider replacing affected devices with models that have received security updates and have established vendor support channels for vulnerability remediation. The vulnerability demonstrates the importance of maintaining up-to-date firmware and the risks associated with legacy devices that may no longer receive security patches from manufacturers.