CVE-2025-8826
Published: 11 August 2025
Summary
CVE-2025-8826 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Linksys Re6250 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 47.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validating inputs like apcli_AuthMode_2G/apcli_AuthMode_5G arguments to prevent stack-based buffer overflows from improper restriction of operations within memory bounds.
SI-16 implements memory protection mechanisms such as stack canaries and DEP to block exploitation of the stack-based buffer overflow even if invalid input reaches the vulnerable function.
SI-2 mandates timely remediation of flaws like CVE-2025-8826 through firmware updates, directly eliminating the buffer overflow vulnerability in affected Linksys range extenders.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in the web management interface (/goform/RP_setBasicAuto) of Linksys Wi-Fi range extenders is remotely exploitable, enabling adversaries to compromise the device via T1190: Exploit Public-Facing Application.
NVD Description
A vulnerability has been found in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 up to 20250801. This vulnerability affects the function um_rp_autochannel of the file /goform/RP_setBasicAuto. The manipulation of the argument apcli_AuthMode_2G/apcli_AuthMode_5G leads to stack-based buffer overflow. The attack…
more
can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2025-8826 is a stack-based buffer overflow vulnerability affecting the um_rp_autochannel function in the /goform/RP_setBasicAuto file of Linksys Wi-Fi range extenders, specifically models RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 running firmware versions up to 20250801. The issue, linked to CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow), is triggered by manipulating the apcli_AuthMode_2G or apcli_AuthMode_5G arguments. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
The vulnerability can be exploited remotely by an attacker with low privileges (PR:L), such as authenticated access to the device's web interface. Successful exploitation allows arbitrary code execution with high confidentiality, integrity, and availability impacts, potentially leading to full device compromise, including data theft, configuration changes, or use as a pivot in network attacks.
Advisories from VulDB (ctiid.319360, id.319360) and a public GitHub disclosure detail the vulnerability, including a proof-of-concept (POC) at github.com/wudipjq/my_vuln/blob/main/Linksys1/vuln_42/42.md#poc. The vendor was notified early but has not responded or issued patches, leaving affected devices without official mitigations; practitioners should isolate exposed devices, monitor for anomalous traffic, and seek any unofficial firmware updates if available.
A public exploit POC has been disclosed, increasing the risk of widespread targeting, though no confirmed real-world exploitation is reported as of the CVE publication on 2025-08-11.
Details
- CWE(s)