CVE-2025-8818
Published: 10 August 2025
Summary
CVE-2025-8818 is a medium-severity Command Injection (CWE-77) vulnerability in Linksys Re6250 Firmware. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked in the top 25.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection via web interface parameters (lanNetmask/lanIp) in setDFSSetting enables exploitation of public-facing application (T1190), command and scripting interpreter execution (T1059, likely Unix Shell), and indirect command execution (T1202) on the Linksys range extender.
NVD Description
A vulnerability has been found in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 up to 20250801. Affected by this issue is the function setDFSSetting of the file /goform/setLan. The manipulation of the argument lanNetmask/lanIp leads to os command injection.…
more
The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2025-8818 is an OS command injection vulnerability affecting Linksys Wi-Fi range extenders, specifically the RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 models running firmware up to version 20250801. The issue resides in the setDFSSetting function within the /goform/setLan endpoint, where the lanNetmask and lanIp arguments are improperly handled, allowing arbitrary command execution (CWE-77, CWE-78). The vulnerability carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating moderate severity with network accessibility and low privilege requirements.
Exploitation requires low-privileged remote access, such as an authenticated user on the device’s web interface, with no user interaction needed. An attacker can manipulate the lanNetmask or lanIp parameters during a request to /goform/setLan, injecting and executing arbitrary operating system commands. This could enable limited impacts like data exfiltration, configuration changes, or service disruptions, though scoped to low confidentiality, integrity, and availability effects.
VulDB advisories and referenced GitHub disclosures detail the vulnerability, including a proof-of-concept exploit, but note no vendor response despite early notification. No patches or official mitigations are available, leaving affected devices exposed; practitioners should isolate or replace vulnerable extenders and monitor for command injection attempts. The exploit has been publicly disclosed and may be actively used.
Details
- CWE(s)