CVE-2025-8827
Published: 11 August 2025
Summary
CVE-2025-8827 is a low-severity Command Injection (CWE-77) vulnerability in Linksys Re6250 Firmware. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SC-7 (Boundary Protection).
Deeper analysis
A vulnerability identified as CVE-2025-8827 affects the Linksys RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 range extenders up to firmware version 20250801. It resides in the um_inspect_cross_band function of the /goform/RP_setBasicAuto endpoint, where improper handling of the staticGateway argument permits OS command injection. The issue is classified under CWE-77 and CWE-78 and carries a CVSS 4.0 score of 2.1.
An authenticated remote attacker can supply a crafted staticGateway value to execute arbitrary operating system commands on the device. The attack requires no user interaction and can be launched over the network, though it is limited to users with valid credentials.
Public proof-of-concept code has been published on GitHub, and the EPSS score has remained flat at 0.0415 with no material rise since disclosure. The vendor was contacted prior to publication but issued no response or mitigation guidance.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-24107
Vulnerability details
A vulnerability was found in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 up to 20250801. This issue affects the function um_inspect_cross_band of the file /goform/RP_setBasicAuto. The manipulation of the argument staticGateway leads to os command injection. The attack may…
more
be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote OS command injection via web form (/goform/RP_setBasicAuto.staticGateway) on public-facing Linksys range extenders enables exploitation of public-facing applications (T1190), exploitation of remote services (T1210), indirect command execution (T1202), and command/script interpreter abuse on network devices (T1059.008).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of untrusted inputs such as the staticGateway argument before it reaches um_inspect_cross_band, blocking OS command injection.
Enforces boundary protection and traffic filtering that can restrict or deny remote access to the vulnerable /goform/RP_setBasicAuto endpoint from untrusted networks.
Enables monitoring of system calls and web-form activity to identify anomalous command execution patterns resulting from successful injection.