CVE-2025-8822
Published: 11 August 2025
Summary
CVE-2025-8822 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Linksys Re6250 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 47.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents stack-based buffer overflows by requiring validation of inputs like the opMode argument to ensure they do not exceed buffer bounds.
Mitigates exploitation of the stack buffer overflow through memory protections such as stack canaries, ASLR, and non-executable stacks.
Addresses the vulnerability by requiring timely identification, reporting, and remediation of flaws like this buffer overflow via firmware updates or device replacement.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in network-accessible web endpoint (/goform/setOpMode) directly enables remote exploitation of a public-facing application (T1190) for arbitrary code execution and subsequent privilege escalation from authenticated user to root (T1068).
NVD Description
A vulnerability has been found in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 up to 20250801. Affected is the function algDisable of the file /goform/setOpMode. The manipulation of the argument opMode leads to stack-based buffer overflow. It is possible…
more
to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2025-8822 is a stack-based buffer overflow vulnerability affecting the algDisable function in the /goform/setOpMode file of Linksys range extender models RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000, up to firmware version 20250801. The issue stems from improper handling of the opMode argument, which can be manipulated to trigger the overflow. It is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow), with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity.
The vulnerability can be exploited remotely by an attacker with low privileges (such as an authenticated user) over the network, requiring low complexity and no user interaction. Successful exploitation allows arbitrary code execution with high impacts on confidentiality, integrity, and availability, potentially leading to full device compromise, such as root access or persistent control over the affected range extender.
No vendor patches or official mitigations are available, as Linksys was contacted early about the issue but did not respond. A proof-of-concept exploit has been publicly disclosed, increasing the risk of active exploitation; security practitioners should isolate affected devices, monitor for anomalous traffic to the /goform/setOpMode endpoint, and consider firmware updates if released. Relevant details and the POC are documented in references including GitHub repositories and VulDB entries.
Details
- CWE(s)