CVE-2025-9251
Published: 20 August 2025
Summary
CVE-2025-9251 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Linksys Re6250 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 44.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of inputs like the Ssid argument at the /goform/sta_wps_pin entry point to prevent stack-based buffer overflows.
Implements memory protections such as stack canaries, ASLR, and non-executable memory to mitigate exploitation of stack buffer overflows.
Mandates identification, reporting, and remediation of flaws like this buffer overflow vulnerability, including firmware updates or replacements despite vendor non-response.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in the unauthenticated remote web endpoint (/goform/sta_wps_pin) enables remote exploitation of a public-facing application and remote service for potential RCE or DoS on Linksys Wi-Fi range extenders.
NVD Description
A security flaw has been discovered in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. Affected is the function sta_wps_pin of the file /goform/sta_wps_pin. Performing manipulation of the argument Ssid results in stack-based buffer overflow. The attack can be…
more
initiated remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2025-9251 is a stack-based buffer overflow vulnerability (CWE-119, CWE-121) in the sta_wps_pin function of the /goform/sta_wps_pin file on Linksys Wi-Fi range extenders, specifically models RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 running firmware versions 1.0.013.001, 1.0.04.001, 1.0.04.002, 1.1.05.003, or 1.2.07.001. The issue arises from improper handling of the Ssid argument, allowing overflow during remote manipulation.
Attackers with low privileges can exploit this remotely over the network with low complexity and no user interaction required (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, score 8.8). Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability, potentially leading to arbitrary code execution on the affected device.
VulDB advisories and a GitHub repository detail the vulnerability and confirm a public exploit release. Linksys was notified early but has not responded or provided patches, leaving affected devices without official mitigation as of the CVE publication on 2025-08-20T22:15:30.080.
The exploit's public availability heightens risk for unpatched deployments in home and small office networks.
Details
- CWE(s)