CVE-2025-5439
Published: 02 June 2025
Summary
CVE-2025-5439 is a medium-severity Command Injection (CWE-77) vulnerability in Linksys Re9000 Firmware. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A vulnerability rated critical exists in multiple Linksys Wi-Fi range extender models including the RE6500, RE6250, RE6300, RE6350, RE7000, and RE9000 running firmware versions 1.0.013.001, 1.0.04.001, 1.0.04.002, 1.1.05.003, or 1.2.07.001. The issue resides in the verifyFacebookLike function within the /goform/verifyFacebookLike endpoint, where improper handling of the uid and accessToken parameters permits operating system command injection, corresponding to CWE-77 and CWE-78.
An authenticated remote attacker can supply crafted input to these parameters and execute arbitrary commands on the device. The exploit has been made public via a detailed disclosure, enabling potential use by anyone with network access to an affected extender, though the CVSS vector reflects limited privileges and low attack complexity without user interaction.
No vendor patch or mitigation guidance has been issued, as Linksys was notified prior to disclosure but provided no response. The associated EPSS score has remained flat at 0.0539 with no observed increase since publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-16630
Vulnerability details
A vulnerability was found in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. It has been rated as critical. Affected by this issue is the function verifyFacebookLike of the file /goform/verifyFacebookLike. The manipulation of the argument uid/accessToken leads to…
more
os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in the remote web endpoint /goform/verifyFacebookLike enables exploitation of a public-facing application (T1190) for arbitrary Unix shell command execution (T1059.004) on Linux-based Linksys range extenders.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.