Linksys RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 Stack-Based Buffer Overflow Vulnerability

A stack-based buffer overflow vulnerability has been identified in Linksys RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 routers with firmware released prior to August 1, 2025. The vulnerability exists in the 'setRIP' function of the '/goform/setRIP' file, where the 'RIPmode' and 'RIPpasswd' arguments can be manipulated to cause a buffer overflow. This overflow can be exploited remotely, potentially allowing attackers to execute arbitrary code.

Impact

Exploitation of this vulnerability leads to a stack-based buffer overflow, where excessive data in the 'RIPmode' or 'RIPpasswd' fields overwrites the return address of the function, causing the router to crash and disrupt service.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/goform/setRIP' endpoint with a crafted 'RIPmode' value that exceeds the buffer limit. This oversized input will cause the router to crash, demonstrating the buffer overflow condition.