Linksys Command Injection Vulnerability in RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 Routers

A command injection vulnerability has been identified in Linksys routers, specifically in the RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 models, all running firmware released prior to August 1, 2025. The vulnerability resides in the 'setDeviceName' function of the '/goform/setDeviceName' endpoint, where the 'DeviceName' argument can be manipulated to inject and execute arbitrary operating system commands. This issue can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device's operating system, potentially leading to unauthorized access or control over the device.

Reproduction

To reproduce this vulnerability, send a POST request to the '/goform/setDeviceName' endpoint with a crafted 'DeviceName' value that includes the desired OS command. After the command injection is successful, trigger the vulnerability by sending a POST request to the '/goform/ExecuteOnlineFW' endpoint. This sequence of actions will result in the injected command being executed on the device, providing a shell access.