Linksys Extender Command Injection Vulnerability Allowing Remote Code Execution

A command injection vulnerability has been identified in several Linksys extender models, including the RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000, all running firmware released prior to August 1, 2025. The vulnerability resides in the '/goform/setWan' endpoint, specifically within the 'sub_3517C' function of the 'mod_form.so' binary. This issue allows remote attackers to execute arbitrary operating system commands by manipulating the 'hostname' parameter in the request. The injected command is executed with elevated privileges, providing the attacker with a shell on the device.

Impact

Exploitation of this vulnerability leads to unauthorized execution of operating system commands on the affected device, with the potential for full system compromise.

Reproduction

To reproduce this vulnerability, send a POST request to '/goform/setWan' with the 'hostname' parameter set to a crafted command, such as 'busybox telnetd -l /bin/sh -p 2235'. The router will execute the command, and a shell can be obtained through the specified port.