CVE-2025-9356
Published: 22 August 2025
Summary
CVE-2025-9356 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Linksys Re6250 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 43.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the stack-based buffer overflow by validating the ruleName input argument for length and content consistency before processing.
Implements memory protections such as stack canaries, ASLR, and DEP to prevent exploitation of the stack-based buffer overflow even if input validation fails.
Requires timely identification, reporting, and patching of flaws like this buffer overflow in affected Linksys firmware versions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in publicly exposed web form handler (/goform/inboundFilterAdd) directly enables remote code execution against a network device via T1190.
NVD Description
A vulnerability was determined in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. Affected by this issue is the function inboundFilterAdd of the file /goform/inboundFilterAdd. Executing manipulation of the argument ruleName can lead to stack-based buffer overflow. The attack…
more
may be performed from a remote location. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2025-9356 is a stack-based buffer overflow vulnerability affecting the inboundFilterAdd function in the /goform/inboundFilterAdd file on Linksys range extender models RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000. The flaw impacts devices running firmware versions 1.0.013.001, 1.0.04.001, 1.0.04.002, 1.1.05.003, or 1.2.07.001. It stems from improper handling of the ruleName argument, as classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow).
The vulnerability enables remote exploitation (AV:N) by an attacker possessing low privileges (PR:L), with low attack complexity (AC:L) and no user interaction required (UI:N). Successful exploitation can result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), yielding a CVSS v3.1 base score of 8.8 and potentially allowing arbitrary code execution through the buffer overflow.
Advisories from VulDB and a GitHub repository detail the issue, including a publicly disclosed proof-of-concept exploit. No vendor patches or mitigations are mentioned, as Linksys was contacted early about the disclosure but provided no response.
The exploit has been publicly released and is available for utilization, increasing the risk for affected devices in the wild.
Details
- CWE(s)