Linksys Range Extenders Stack-Based Buffer Overflow Vulnerability

A stack-based buffer overflow vulnerability has been identified in Linksys range extenders RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000, all running firmware versions prior to 20250801. The vulnerability resides in the 'um_rp_autochannel' function within the '/goform/RP_setBasicAuto' file. It is triggered by manipulating the 'apcli_AuthMode_2G' and 'apcli_AuthMode_5G' arguments, leading to a stack overflow that could be exploited to execute arbitrary code. This vulnerability can be exploited remotely, and a public proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability causes the router to crash, disrupting its normal service and causing a persistent denial of functionality.

Reproduction

To reproduce this vulnerability, send a POST request to '/goform/RP_setBasicAuto' with the 'apcli_AuthMode_2G' and/or 'apcli_AuthMode_5G' fields populated with excessively long data. The router will crash as a result of the stack overflow.