Linksys Range Extenders Command Injection Vulnerability Allowing Remote Code Execution

A command injection vulnerability has been identified in several Linksys range extenders, including the RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000, all running firmware released prior to August 1, 2025. The vulnerability resides in the 'RP_setBasicAuto' function within the '/goform/RP_setBasicAuto' file. It allows remote attackers to execute arbitrary operating system commands by manipulating the 'staticIp' and 'staticNetmask' parameters. The injected commands are executed with the privileges of the router's operating system.

Impact

Exploitation of this vulnerability leads to unauthorized execution of operating system commands on the affected device, potentially allowing for further attacks or manipulation of the device's functions.

Reproduction

To reproduce this vulnerability, send a POST request to '/goform/RP_setBasicAuto' with a crafted 'staticIp' value that includes a command to be executed, such as launching a reverse shell. The router will execute the command, providing a shell access through the specified port.