Linksys RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 OS Command Injection Vulnerability

A command injection vulnerability has been identified in Linksys RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 routers, all running firmware released prior to August 1, 2025. The vulnerability resides in the 'setDFSSetting' function of the '/goform/setLan' file, where user-supplied input for 'lanNetmask' and 'lanIp' is not properly validated. This oversight allows remote attackers to inject arbitrary operating system commands, which are executed with the router's privileges.

Impact

Exploitation of this vulnerability leads to unauthorized execution of operating system commands on the affected router.

Reproduction

To reproduce this vulnerability, first send a POST request to '/goform/setLan' with the 'lanNetmask' parameter set to '255.255.255.0' followed by the desired command payload, such as 'busybox telnetd'. After the command injection payload is set, send a second POST request to '/goform/setDFSSetting' to trigger the execution of the injected command. The result is a shell access on the router, indicating successful exploitation.