Linksys RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 OS Command Injection Vulnerability

A command injection vulnerability has been identified in Linksys range extenders RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000, all running firmware released prior to August 1, 2025. The vulnerability resides in the 'um_red' function of the '/goform/RP_setBasicAuto' file, where the 'hname' argument can be manipulated to inject and execute arbitrary operating system commands. This issue can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for arbitrary operating system command execution on the affected device.

Reproduction

To reproduce this vulnerability, send a POST request to '/goform/RP_setBasicAuto' with a crafted 'hname' parameter that includes the desired command. The injected command will be executed by the router, providing a shell access.