Common Weakness Enumeration
CWE-121
AllowedStack-based Buffer Overflow
Abstraction: Variant · Status: Draft
A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
5209 vulnerabilities reference this CWE, most recent first.
CVE-2025-9791 (GCVE-0-2025-9791)
Vulnerability from cvelistv5 – Published: 2025-09-01 19:02 – Updated: 2025-09-02 15:09
VLAI
EPSS
VEX
Title
Tenda AC20 fromAdvSetMacMtuWan stack-based overflow
Summary
A weakness has been identified in Tenda AC20 16.03.08.05. This vulnerability affects unknown code of the file /goform/fromAdvSetMacMtuWan. This manipulation of the argument wanMTU causes stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.322106 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.322106 | signaturepermissions-required |
| https://vuldb.com/?submit.641088 | third-party-advisory |
| https://github.com/Cpppq43/Tenda/blob/main/Tenda_… | related |
| https://github.com/Cpppq43/Tenda/blob/main/Tenda_… | exploit |
| https://www.tenda.com.cn/ | product |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9791",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-02T14:13:37.000337Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-02T15:09:01.786Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Cpppq43/Tenda/blob/main/Tenda_AC20_V16.03.08.05.md#poc"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/Cpppq43/Tenda/blob/main/Tenda_AC20_V16.03.08.05.md"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "AC20",
"vendor": "Tenda",
"versions": [
{
"status": "affected",
"version": "16.03.08.05"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "BediveRE (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in Tenda AC20 16.03.08.05. This vulnerability affects unknown code of the file /goform/fromAdvSetMacMtuWan. This manipulation of the argument wanMTU causes stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited."
},
{
"lang": "de",
"value": "In Tenda AC20 16.03.08.05 wurde eine Schwachstelle gefunden. Hierbei geht es um eine nicht exakt ausgemachte Funktion der Datei /goform/fromAdvSetMacMtuWan. Durch Manipulieren des Arguments wanMTU mit unbekannten Daten kann eine stack-based buffer overflow-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Exploit wurde der \u00d6ffentlichkeit bekannt gemacht und k\u00f6nnte verwendet werden."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 9,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "Memory Corruption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-01T19:02:07.802Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-322106 | Tenda AC20 fromAdvSetMacMtuWan stack-based overflow",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.322106"
},
{
"name": "VDB-322106 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.322106"
},
{
"name": "Submit #641088 | Tenda Tenda AC20 AC20_V16.03.08.05 Stack-based Buffer Overflow",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.641088"
},
{
"tags": [
"related"
],
"url": "https://github.com/Cpppq43/Tenda/blob/main/Tenda_AC20_V16.03.08.05.md"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/Cpppq43/Tenda/blob/main/Tenda_AC20_V16.03.08.05.md#poc"
},
{
"tags": [
"product"
],
"url": "https://www.tenda.com.cn/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-01T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-09-01T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-09-01T12:15:44.000Z",
"value": "VulDB entry last update"
}
],
"title": "Tenda AC20 fromAdvSetMacMtuWan stack-based overflow"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-9791",
"datePublished": "2025-09-01T19:02:07.802Z",
"dateReserved": "2025-09-01T10:10:40.574Z",
"dateUpdated": "2025-09-02T15:09:01.786Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-9748 (GCVE-0-2025-9748)
Vulnerability from cvelistv5 – Published: 2025-08-31 22:02 – Updated: 2025-09-02 15:12
VLAI
EPSS
VEX
Title
Tenda CH22 httpd IPSECsave fromIpsecitem stack-based overflow
Summary
A vulnerability was determined in Tenda CH22 1.0.0.1. Affected by this issue is the function fromIpsecitem of the file /goform/IPSECsave of the component httpd. Executing manipulation of the argument ipsecno can lead to stack-based buffer overflow. The attack may be performed from remote.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.322049 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.322049 | signaturepermissions-required |
| https://vuldb.com/?submit.640422 | third-party-advisory |
| https://github.com/physicszq/Routers/tree/main/tmp/02 | related |
| https://www.tenda.com.cn/ | product |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9748",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-02T14:35:03.013991Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-02T15:12:48.704Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/physicszq/Routers/tree/main/tmp/02"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"httpd"
],
"product": "CH22",
"vendor": "Tenda",
"versions": [
{
"status": "affected",
"version": "1.0.0.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "physicszq (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in Tenda CH22 1.0.0.1. Affected by this issue is the function fromIpsecitem of the file /goform/IPSECsave of the component httpd. Executing manipulation of the argument ipsecno can lead to stack-based buffer overflow. The attack may be performed from remote."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in Tenda CH22 1.0.0.1 entdeckt. Es geht hierbei um die Funktion fromIpsecitem der Datei /goform/IPSECsave der Komponente httpd. Durch das Manipulieren des Arguments ipsecno mit unbekannten Daten kann eine stack-based buffer overflow-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 9,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C/E:ND/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "Memory Corruption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-31T22:02:07.125Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-322049 | Tenda CH22 httpd IPSECsave fromIpsecitem stack-based overflow",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.322049"
},
{
"name": "VDB-322049 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.322049"
},
{
"name": "Submit #640422 | Tenda tenda CH22 V1.0.0.1 Stack-based Buffer Overflow",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.640422"
},
{
"tags": [
"related"
],
"url": "https://github.com/physicszq/Routers/tree/main/tmp/02"
},
{
"tags": [
"product"
],
"url": "https://www.tenda.com.cn/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-08-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-08-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-08-31T10:16:03.000Z",
"value": "VulDB entry last update"
}
],
"title": "Tenda CH22 httpd IPSECsave fromIpsecitem stack-based overflow"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-9748",
"datePublished": "2025-08-31T22:02:07.125Z",
"dateReserved": "2025-08-31T08:10:59.472Z",
"dateUpdated": "2025-09-02T15:12:48.704Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-9605 (GCVE-0-2025-9605)
Vulnerability from cvelistv5 – Published: 2025-08-29 02:02 – Updated: 2025-08-29 13:31
VLAI
EPSS
VEX
Title
Tenda AC21/AC23 GetParentControlInfo stack-based overflow
Summary
A security vulnerability has been detected in Tenda AC21 and AC23 16.03.08.16. Affected is the function GetParentControlInfo of the file /goform/GetParentControlInfo. Such manipulation of the argument mac leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed publicly and may be used.
Severity
9.8 (Critical)
9.8 (Critical)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.321783 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.321783 | signaturepermissions-required |
| https://vuldb.com/?submit.636545 | third-party-advisory |
| https://vuldb.com/?submit.636548 | third-party-advisory |
| https://github.com/XXRicardo/iot-cve/blob/main/Te… | related |
| https://github.com/XXRicardo/iot-cve/blob/main/Te… | exploit |
| https://www.tenda.com.cn/ | product |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9605",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-29T13:31:03.332380Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-29T13:31:06.430Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/XXRicardo/iot-cve/blob/main/Tenda/AC23/Stack-Based%20Buffer%20Overflow%20in%20Tenda%20Wi-Fi%205%20Router%20AC23%EF%BC%88AC23V1.0re_V16.03.07.52%EF%BC%89.md"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/XXRicardo/iot-cve/blob/main/Tenda/AC21/AC21V1.0re_V16.03.08.16.md"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "AC21",
"vendor": "Tenda",
"versions": [
{
"status": "affected",
"version": "16.03.08.16"
}
]
},
{
"product": "AC23",
"vendor": "Tenda",
"versions": [
{
"status": "affected",
"version": "16.03.08.16"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "lxyilu (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in Tenda AC21 and AC23 16.03.08.16. Affected is the function GetParentControlInfo of the file /goform/GetParentControlInfo. Such manipulation of the argument mac leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed publicly and may be used."
},
{
"lang": "de",
"value": "In Tenda AC21 and AC23 16.03.08.16 ist eine Schwachstelle entdeckt worden. Betroffen ist die Funktion GetParentControlInfo der Datei /goform/GetParentControlInfo. Durch das Manipulieren des Arguments mac mit unbekannten Daten kann eine stack-based buffer overflow-Schwachstelle ausgenutzt werden. Ein Angriff ist aus der Distanz m\u00f6glich. Der Exploit ist \u00f6ffentlich verf\u00fcgbar und k\u00f6nnte genutzt werden."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 10,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "Memory Corruption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-29T02:02:08.778Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-321783 | Tenda AC21/AC23 GetParentControlInfo stack-based overflow",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.321783"
},
{
"name": "VDB-321783 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.321783"
},
{
"name": "Submit #636545 | Tenda Wi-Fi 5 Router AC21 AC21V1.0re_V16.03.08.16 Buffer Overflow",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.636545"
},
{
"name": "Submit #636548 | Tenda Wi-Fi 5 Router AC23 AC23V1.0re_V16.03.07.52 Buffer Overflow (Duplicate)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.636548"
},
{
"tags": [
"related"
],
"url": "https://github.com/XXRicardo/iot-cve/blob/main/Tenda/AC21/AC21V1.0re_V16.03.08.16.md"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/XXRicardo/iot-cve/blob/main/Tenda/AC23/Stack-Based%20Buffer%20Overflow%20in%20Tenda%20Wi-Fi%205%20Router%20AC23%EF%BC%88AC23V1.0re_V16.03.07.52%EF%BC%89.md"
},
{
"tags": [
"product"
],
"url": "https://www.tenda.com.cn/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-08-28T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-08-28T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-08-28T17:27:38.000Z",
"value": "VulDB entry last update"
}
],
"title": "Tenda AC21/AC23 GetParentControlInfo stack-based overflow"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-9605",
"datePublished": "2025-08-29T02:02:08.778Z",
"dateReserved": "2025-08-28T15:21:33.747Z",
"dateUpdated": "2025-08-29T13:31:06.430Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-9527 (GCVE-0-2025-9527)
Vulnerability from cvelistv5 – Published: 2025-08-27 13:02 – Updated: 2025-08-27 13:28
VLAI
EPSS
VEX
Title
Linksys E1700 QoSSetup stack-based overflow
Summary
A vulnerability was found in Linksys E1700 1.0.0.4.003. This affects the function QoSSetup of the file /goform/QoSSetup. Performing manipulation of the argument ack_policy results in stack-based buffer overflow. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.321544 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.321544 | signaturepermissions-required |
| https://vuldb.com/?submit.634826 | third-party-advisory |
| https://github.com/wudipjq/my_vuln/blob/main/Link… | related |
| https://github.com/wudipjq/my_vuln/blob/main/Link… | exploit |
| https://www.linksys.com/ | product |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9527",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-27T13:27:51.672873Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-27T13:28:00.394Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "E1700",
"vendor": "Linksys",
"versions": [
{
"status": "affected",
"version": "1.0.0.4.003"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Bond_yes (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Linksys E1700 1.0.0.4.003. This affects the function QoSSetup of the file /goform/QoSSetup. Performing manipulation of the argument ack_policy results in stack-based buffer overflow. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in Linksys E1700 1.0.0.4.003 gefunden. Es geht um die Funktion QoSSetup der Datei /goform/QoSSetup. Mittels Manipulieren des Arguments ack_policy mit unbekannten Daten kann eine stack-based buffer overflow-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Die Ausnutzung wurde ver\u00f6ffentlicht und kann verwendet werden."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 9,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "Memory Corruption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-27T13:02:06.341Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-321544 | Linksys E1700 QoSSetup stack-based overflow",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.321544"
},
{
"name": "VDB-321544 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.321544"
},
{
"name": "Submit #634826 | Linksys E1700 E1700(1.0.0.4.003) Stack-based Buffer Overflow",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.634826"
},
{
"tags": [
"related"
],
"url": "https://github.com/wudipjq/my_vuln/blob/main/Linksys2/vuln_60/60.md"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/wudipjq/my_vuln/blob/main/Linksys2/vuln_60/60.md#poc"
},
{
"tags": [
"product"
],
"url": "https://www.linksys.com/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-08-27T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-08-27T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-08-27T09:37:01.000Z",
"value": "VulDB entry last update"
}
],
"title": "Linksys E1700 QoSSetup stack-based overflow"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-9527",
"datePublished": "2025-08-27T13:02:06.341Z",
"dateReserved": "2025-08-27T05:43:13.651Z",
"dateUpdated": "2025-08-27T13:28:00.394Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-9526 (GCVE-0-2025-9526)
Vulnerability from cvelistv5 – Published: 2025-08-27 12:32 – Updated: 2025-08-27 13:18
VLAI
EPSS
VEX
Title
Linksys E1700 setSysAdm stack-based overflow
Summary
A vulnerability has been found in Linksys E1700 1.0.0.4.003. Affected by this issue is the function setSysAdm of the file /goform/setSysAdm. Such manipulation of the argument rm_port leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.321543 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.321543 | signaturepermissions-required |
| https://vuldb.com/?submit.634825 | third-party-advisory |
| https://github.com/wudipjq/my_vuln/blob/main/Link… | related |
| https://github.com/wudipjq/my_vuln/blob/main/Link… | exploit |
| https://www.linksys.com/ | product |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9526",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-27T13:17:55.594019Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-27T13:18:53.170Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "E1700",
"vendor": "Linksys",
"versions": [
{
"status": "affected",
"version": "1.0.0.4.003"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Bond_yes (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in Linksys E1700 1.0.0.4.003. Affected by this issue is the function setSysAdm of the file /goform/setSysAdm. Such manipulation of the argument rm_port leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "In Linksys E1700 1.0.0.4.003 ist eine Schwachstelle entdeckt worden. Betroffen hiervon ist die Funktion setSysAdm der Datei /goform/setSysAdm. Mittels dem Manipulieren des Arguments rm_port mit unbekannten Daten kann eine stack-based buffer overflow-Schwachstelle ausgenutzt werden. Der Angriff kann remote ausgef\u00fchrt werden. Der Exploit ist \u00f6ffentlich verf\u00fcgbar und k\u00f6nnte genutzt werden."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 9,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "Memory Corruption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-27T12:32:09.160Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-321543 | Linksys E1700 setSysAdm stack-based overflow",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.321543"
},
{
"name": "VDB-321543 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.321543"
},
{
"name": "Submit #634825 | Linksys E1700 E1700(1.0.0.4.003) Stack-based Buffer Overflow",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.634825"
},
{
"tags": [
"related"
],
"url": "https://github.com/wudipjq/my_vuln/blob/main/Linksys2/vuln_59/59.md"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/wudipjq/my_vuln/blob/main/Linksys2/vuln_59/59.md#poc"
},
{
"tags": [
"product"
],
"url": "https://www.linksys.com/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-08-27T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-08-27T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-08-27T09:36:57.000Z",
"value": "VulDB entry last update"
}
],
"title": "Linksys E1700 setSysAdm stack-based overflow"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-9526",
"datePublished": "2025-08-27T12:32:09.160Z",
"dateReserved": "2025-08-27T05:43:10.953Z",
"dateUpdated": "2025-08-27T13:18:53.170Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-9525 (GCVE-0-2025-9525)
Vulnerability from cvelistv5 – Published: 2025-08-27 12:32 – Updated: 2025-08-27 13:20
VLAI
EPSS
VEX
Title
Linksys E1700 setWan stack-based overflow
Summary
A flaw has been found in Linksys E1700 1.0.0.4.003. Affected by this vulnerability is the function setWan of the file /goform/setWan. This manipulation of the argument DeviceName/lanIp causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.321542 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.321542 | signaturepermissions-required |
| https://vuldb.com/?submit.634824 | third-party-advisory |
| https://github.com/wudipjq/my_vuln/blob/main/Link… | related |
| https://github.com/wudipjq/my_vuln/blob/main/Link… | exploit |
| https://www.linksys.com/ | product |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9525",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-27T13:20:37.653502Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-27T13:20:56.576Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "E1700",
"vendor": "Linksys",
"versions": [
{
"status": "affected",
"version": "1.0.0.4.003"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Bond_yes (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw has been found in Linksys E1700 1.0.0.4.003. Affected by this vulnerability is the function setWan of the file /goform/setWan. This manipulation of the argument DeviceName/lanIp causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "In Linksys E1700 1.0.0.4.003 wurde eine Schwachstelle gefunden. Betroffen davon ist die Funktion setWan der Datei /goform/setWan. Durch Manipulation des Arguments DeviceName/lanIp mit unbekannten Daten kann eine stack-based buffer overflow-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Die Schwachstelle wurde \u00f6ffentlich offengelegt und k\u00f6nnte ausgenutzt werden."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 9,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "Memory Corruption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-27T12:32:07.243Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-321542 | Linksys E1700 setWan stack-based overflow",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.321542"
},
{
"name": "VDB-321542 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.321542"
},
{
"name": "Submit #634824 | Linksys E1700 E1700(1.0.0.4.003) Stack-based Buffer Overflow",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.634824"
},
{
"tags": [
"related"
],
"url": "https://github.com/wudipjq/my_vuln/blob/main/Linksys2/vuln_58/58.md"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/wudipjq/my_vuln/blob/main/Linksys2/vuln_58/58.md#poc"
},
{
"tags": [
"product"
],
"url": "https://www.linksys.com/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-08-27T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-08-27T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-08-27T09:36:52.000Z",
"value": "VulDB entry last update"
}
],
"title": "Linksys E1700 setWan stack-based overflow"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-9525",
"datePublished": "2025-08-27T12:32:07.243Z",
"dateReserved": "2025-08-27T05:43:01.318Z",
"dateUpdated": "2025-08-27T13:20:56.576Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-9523 (GCVE-0-2025-9523)
Vulnerability from cvelistv5 – Published: 2025-08-27 10:32 – Updated: 2025-08-27 13:22
VLAI
EPSS
VEX
Title
Tenda AC1206 GetParentControlInfo stack-based overflow
Summary
A vulnerability was detected in Tenda AC1206 15.03.06.23. Affected is the function GetParentControlInfo of the file /goform/GetParentControlInfo. The manipulation of the argument mac results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit is now public and may be used.
Severity
9.8 (Critical)
9.8 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.321541 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.321541 | signaturepermissions-required |
| https://vuldb.com/?submit.634309 | third-party-advisory |
| https://github.com/XXRicardo/iot-cve/blob/main/Te… | exploit |
| https://www.tenda.com.cn/ | product |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9523",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-27T13:21:42.471514Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-27T13:22:13.925Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "AC1206",
"vendor": "Tenda",
"versions": [
{
"status": "affected",
"version": "15.03.06.23"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "lxyilu (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was detected in Tenda AC1206 15.03.06.23. Affected is the function GetParentControlInfo of the file /goform/GetParentControlInfo. The manipulation of the argument mac results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit is now public and may be used."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in Tenda AC1206 15.03.06.23 entdeckt. Betroffen ist die Funktion GetParentControlInfo der Datei /goform/GetParentControlInfo. Durch die Manipulation des Arguments mac mit unbekannten Daten kann eine stack-based buffer overflow-Schwachstelle ausgenutzt werden. Es ist m\u00f6glich, den Angriff aus der Ferne durchzuf\u00fchren. Der Exploit wurde der \u00d6ffentlichkeit bekannt gemacht und k\u00f6nnte verwendet werden."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 10,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "Memory Corruption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-27T10:32:07.976Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-321541 | Tenda AC1206 GetParentControlInfo stack-based overflow",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.321541"
},
{
"name": "VDB-321541 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.321541"
},
{
"name": "Submit #634309 | Tenda Tenda Wi-Fi 5 Router AC1206 AC1206V1.0RTL_V15.03.06.23 Buffer Overflow",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.634309"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/XXRicardo/iot-cve/blob/main/Tenda/AC1206/AC1206V1.0RTL_V15.03.06.23.md"
},
{
"tags": [
"product"
],
"url": "https://www.tenda.com.cn/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-08-27T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-08-27T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-08-27T07:08:38.000Z",
"value": "VulDB entry last update"
}
],
"title": "Tenda AC1206 GetParentControlInfo stack-based overflow"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-9523",
"datePublished": "2025-08-27T10:32:07.976Z",
"dateReserved": "2025-08-27T05:03:24.435Z",
"dateUpdated": "2025-08-27T13:22:13.925Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-9483 (GCVE-0-2025-9483)
Vulnerability from cvelistv5 – Published: 2025-08-26 14:02 – Updated: 2025-08-26 15:01
VLAI
EPSS
VEX
Title
Linksys RE6250/RE6300/RE6350/RE6500/RE7000/RE9000 singlePortForwardAdd stack-based overflow
Summary
A flaw has been found in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. Affected is the function singlePortForwardAdd of the file /goform/singlePortForwardAdd. This manipulation of the argument ruleName/schedule/inboundFilter causes stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.321398 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.321398 | signaturepermissions-required |
| https://vuldb.com/?submit.634823 | third-party-advisory |
| https://github.com/wudipjq/my_vuln/blob/main/Link… | related |
| https://github.com/wudipjq/my_vuln/blob/main/Link… | exploit |
| https://www.linksys.com/ | product |
Impacted products
6 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linksys | RE6250 |
Affected:
1.0.013.001
Affected: 1.0.04.001 Affected: 1.0.04.002 Affected: 1.1.05.003 Affected: 1.2.07.001 |
|
| Linksys | RE6300 |
Affected:
1.0.013.001
Affected: 1.0.04.001 Affected: 1.0.04.002 Affected: 1.1.05.003 Affected: 1.2.07.001 |
|
| Linksys | RE6350 |
Affected:
1.0.013.001
Affected: 1.0.04.001 Affected: 1.0.04.002 Affected: 1.1.05.003 Affected: 1.2.07.001 |
|
| Linksys | RE6500 |
Affected:
1.0.013.001
Affected: 1.0.04.001 Affected: 1.0.04.002 Affected: 1.1.05.003 Affected: 1.2.07.001 |
|
| Linksys | RE7000 |
Affected:
1.0.013.001
Affected: 1.0.04.001 Affected: 1.0.04.002 Affected: 1.1.05.003 Affected: 1.2.07.001 |
|
| Linksys | RE9000 |
Affected:
1.0.013.001
Affected: 1.0.04.001 Affected: 1.0.04.002 Affected: 1.1.05.003 Affected: 1.2.07.001 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9483",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-26T15:01:54.282758Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-26T15:01:59.378Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/wudipjq/my_vuln/blob/main/Linksys/vuln_37/37.md"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/wudipjq/my_vuln/blob/main/Linksys/vuln_37/37.md#poc"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "RE6250",
"vendor": "Linksys",
"versions": [
{
"status": "affected",
"version": "1.0.013.001"
},
{
"status": "affected",
"version": "1.0.04.001"
},
{
"status": "affected",
"version": "1.0.04.002"
},
{
"status": "affected",
"version": "1.1.05.003"
},
{
"status": "affected",
"version": "1.2.07.001"
}
]
},
{
"product": "RE6300",
"vendor": "Linksys",
"versions": [
{
"status": "affected",
"version": "1.0.013.001"
},
{
"status": "affected",
"version": "1.0.04.001"
},
{
"status": "affected",
"version": "1.0.04.002"
},
{
"status": "affected",
"version": "1.1.05.003"
},
{
"status": "affected",
"version": "1.2.07.001"
}
]
},
{
"product": "RE6350",
"vendor": "Linksys",
"versions": [
{
"status": "affected",
"version": "1.0.013.001"
},
{
"status": "affected",
"version": "1.0.04.001"
},
{
"status": "affected",
"version": "1.0.04.002"
},
{
"status": "affected",
"version": "1.1.05.003"
},
{
"status": "affected",
"version": "1.2.07.001"
}
]
},
{
"product": "RE6500",
"vendor": "Linksys",
"versions": [
{
"status": "affected",
"version": "1.0.013.001"
},
{
"status": "affected",
"version": "1.0.04.001"
},
{
"status": "affected",
"version": "1.0.04.002"
},
{
"status": "affected",
"version": "1.1.05.003"
},
{
"status": "affected",
"version": "1.2.07.001"
}
]
},
{
"product": "RE7000",
"vendor": "Linksys",
"versions": [
{
"status": "affected",
"version": "1.0.013.001"
},
{
"status": "affected",
"version": "1.0.04.001"
},
{
"status": "affected",
"version": "1.0.04.002"
},
{
"status": "affected",
"version": "1.1.05.003"
},
{
"status": "affected",
"version": "1.2.07.001"
}
]
},
{
"product": "RE9000",
"vendor": "Linksys",
"versions": [
{
"status": "affected",
"version": "1.0.013.001"
},
{
"status": "affected",
"version": "1.0.04.001"
},
{
"status": "affected",
"version": "1.0.04.002"
},
{
"status": "affected",
"version": "1.1.05.003"
},
{
"status": "affected",
"version": "1.2.07.001"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Bond_yes (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw has been found in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. Affected is the function singlePortForwardAdd of the file /goform/singlePortForwardAdd. This manipulation of the argument ruleName/schedule/inboundFilter causes stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "In Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001 wurde eine Schwachstelle gefunden. Betroffen davon ist die Funktion singlePortForwardAdd der Datei /goform/singlePortForwardAdd. Dank der Manipulation des Arguments ruleName/schedule/inboundFilter mit unbekannten Daten kann eine stack-based buffer overflow-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Der Exploit ist \u00f6ffentlich verf\u00fcgbar und k\u00f6nnte genutzt werden."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 9,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "Memory Corruption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-26T14:02:06.175Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-321398 | Linksys RE6250/RE6300/RE6350/RE6500/RE7000/RE9000 singlePortForwardAdd stack-based overflow",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.321398"
},
{
"name": "VDB-321398 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.321398"
},
{
"name": "Submit #634823 | Linksys RE6500\u3001RE6250\u3001RE6300\u3001RE6350\u3001RE7000\u3001RE9000 RE6500(1.0.013.001) RE6250(1.0.04.001) RE6300(1.2.07.001) RE6350(1.0.04.001) RE7000(1.1.05.003) RE9000(1.0.04.002) Stack-based Buffer Overflow",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.634823"
},
{
"tags": [
"related"
],
"url": "https://github.com/wudipjq/my_vuln/blob/main/Linksys/vuln_37/37.md"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/wudipjq/my_vuln/blob/main/Linksys/vuln_37/37.md#poc"
},
{
"tags": [
"product"
],
"url": "https://www.linksys.com/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-08-26T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-08-26T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-08-26T09:40:58.000Z",
"value": "VulDB entry last update"
}
],
"title": "Linksys RE6250/RE6300/RE6350/RE6500/RE7000/RE9000 singlePortForwardAdd stack-based overflow"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-9483",
"datePublished": "2025-08-26T14:02:06.175Z",
"dateReserved": "2025-08-26T07:35:50.516Z",
"dateUpdated": "2025-08-26T15:01:59.378Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-9482 (GCVE-0-2025-9482)
Vulnerability from cvelistv5 – Published: 2025-08-26 13:32 – Updated: 2025-08-26 14:42
VLAI
EPSS
VEX
Title
Linksys RE6250/RE6300/RE6350/RE6500/RE7000/RE9000 portRangeForwardAdd stack-based overflow
Summary
A vulnerability was detected in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. This impacts the function portRangeForwardAdd of the file /goform/portRangeForwardAdd. The manipulation of the argument ruleName/schedule/inboundFilter/TCPPorts/UDPPorts results in stack-based buffer overflow. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.321397 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.321397 | signaturepermissions-required |
| https://vuldb.com/?submit.634820 | third-party-advisory |
| https://github.com/wudipjq/my_vuln/blob/main/Link… | related |
| https://github.com/wudipjq/my_vuln/blob/main/Link… | exploit |
| https://www.linksys.com/ | product |
Impacted products
6 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linksys | RE6250 |
Affected:
1.0.013.001
Affected: 1.0.04.001 Affected: 1.0.04.002 Affected: 1.1.05.003 Affected: 1.2.07.001 |
|
| Linksys | RE6300 |
Affected:
1.0.013.001
Affected: 1.0.04.001 Affected: 1.0.04.002 Affected: 1.1.05.003 Affected: 1.2.07.001 |
|
| Linksys | RE6350 |
Affected:
1.0.013.001
Affected: 1.0.04.001 Affected: 1.0.04.002 Affected: 1.1.05.003 Affected: 1.2.07.001 |
|
| Linksys | RE6500 |
Affected:
1.0.013.001
Affected: 1.0.04.001 Affected: 1.0.04.002 Affected: 1.1.05.003 Affected: 1.2.07.001 |
|
| Linksys | RE7000 |
Affected:
1.0.013.001
Affected: 1.0.04.001 Affected: 1.0.04.002 Affected: 1.1.05.003 Affected: 1.2.07.001 |
|
| Linksys | RE9000 |
Affected:
1.0.013.001
Affected: 1.0.04.001 Affected: 1.0.04.002 Affected: 1.1.05.003 Affected: 1.2.07.001 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9482",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-26T14:42:39.463898Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-26T14:42:43.140Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/wudipjq/my_vuln/blob/main/Linksys/vuln_36/36.md#poc"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/wudipjq/my_vuln/blob/main/Linksys/vuln_36/36.md"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "RE6250",
"vendor": "Linksys",
"versions": [
{
"status": "affected",
"version": "1.0.013.001"
},
{
"status": "affected",
"version": "1.0.04.001"
},
{
"status": "affected",
"version": "1.0.04.002"
},
{
"status": "affected",
"version": "1.1.05.003"
},
{
"status": "affected",
"version": "1.2.07.001"
}
]
},
{
"product": "RE6300",
"vendor": "Linksys",
"versions": [
{
"status": "affected",
"version": "1.0.013.001"
},
{
"status": "affected",
"version": "1.0.04.001"
},
{
"status": "affected",
"version": "1.0.04.002"
},
{
"status": "affected",
"version": "1.1.05.003"
},
{
"status": "affected",
"version": "1.2.07.001"
}
]
},
{
"product": "RE6350",
"vendor": "Linksys",
"versions": [
{
"status": "affected",
"version": "1.0.013.001"
},
{
"status": "affected",
"version": "1.0.04.001"
},
{
"status": "affected",
"version": "1.0.04.002"
},
{
"status": "affected",
"version": "1.1.05.003"
},
{
"status": "affected",
"version": "1.2.07.001"
}
]
},
{
"product": "RE6500",
"vendor": "Linksys",
"versions": [
{
"status": "affected",
"version": "1.0.013.001"
},
{
"status": "affected",
"version": "1.0.04.001"
},
{
"status": "affected",
"version": "1.0.04.002"
},
{
"status": "affected",
"version": "1.1.05.003"
},
{
"status": "affected",
"version": "1.2.07.001"
}
]
},
{
"product": "RE7000",
"vendor": "Linksys",
"versions": [
{
"status": "affected",
"version": "1.0.013.001"
},
{
"status": "affected",
"version": "1.0.04.001"
},
{
"status": "affected",
"version": "1.0.04.002"
},
{
"status": "affected",
"version": "1.1.05.003"
},
{
"status": "affected",
"version": "1.2.07.001"
}
]
},
{
"product": "RE9000",
"vendor": "Linksys",
"versions": [
{
"status": "affected",
"version": "1.0.013.001"
},
{
"status": "affected",
"version": "1.0.04.001"
},
{
"status": "affected",
"version": "1.0.04.002"
},
{
"status": "affected",
"version": "1.1.05.003"
},
{
"status": "affected",
"version": "1.2.07.001"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Bond_yes (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was detected in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. This impacts the function portRangeForwardAdd of the file /goform/portRangeForwardAdd. The manipulation of the argument ruleName/schedule/inboundFilter/TCPPorts/UDPPorts results in stack-based buffer overflow. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001 entdeckt. Betroffen ist die Funktion portRangeForwardAdd der Datei /goform/portRangeForwardAdd. Die Bearbeitung des Arguments ruleName/schedule/inboundFilter/TCPPorts/UDPPorts verursacht stack-based buffer overflow. Es ist m\u00f6glich, den Angriff aus der Ferne durchzuf\u00fchren. Die Schwachstelle wurde \u00f6ffentlich offengelegt und k\u00f6nnte ausgenutzt werden."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 9,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "Memory Corruption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-26T13:32:11.752Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-321397 | Linksys RE6250/RE6300/RE6350/RE6500/RE7000/RE9000 portRangeForwardAdd stack-based overflow",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.321397"
},
{
"name": "VDB-321397 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.321397"
},
{
"name": "Submit #634820 | Linksys RE6500\u3001RE6250\u3001RE6300\u3001RE6350\u3001RE7000\u3001RE9000 RE6500(1.0.013.001) RE6250(1.0.04.001) RE6300(1.2.07.001) RE6350(1.0.04.001) RE7000(1.1.05.003) RE9000(1.0.04.002) Stack-based Buffer Overflow",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.634820"
},
{
"tags": [
"related"
],
"url": "https://github.com/wudipjq/my_vuln/blob/main/Linksys/vuln_36/36.md"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/wudipjq/my_vuln/blob/main/Linksys/vuln_36/36.md#poc"
},
{
"tags": [
"product"
],
"url": "https://www.linksys.com/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-08-26T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-08-26T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-08-26T09:40:57.000Z",
"value": "VulDB entry last update"
}
],
"title": "Linksys RE6250/RE6300/RE6350/RE6500/RE7000/RE9000 portRangeForwardAdd stack-based overflow"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-9482",
"datePublished": "2025-08-26T13:32:11.752Z",
"dateReserved": "2025-08-26T07:35:47.510Z",
"dateUpdated": "2025-08-26T14:42:43.140Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-9481 (GCVE-0-2025-9481)
Vulnerability from cvelistv5 – Published: 2025-08-26 13:32 – Updated: 2025-08-26 14:40
VLAI
EPSS
VEX
Title
Linksys RE6250/RE6300/RE6350/RE6500/RE7000/RE9000 setIpv6 stack-based overflow
Summary
A security vulnerability has been detected in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. This affects the function setIpv6 of the file /goform/setIpv6. The manipulation of the argument tunrd_Prefix leads to stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.321396 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.321396 | signaturepermissions-required |
| https://vuldb.com/?submit.634819 | third-party-advisory |
| https://github.com/wudipjq/my_vuln/blob/main/Link… | related |
| https://github.com/wudipjq/my_vuln/blob/main/Link… | exploit |
| https://www.linksys.com/ | product |
Impacted products
6 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linksys | RE6250 |
Affected:
1.0.013.001
Affected: 1.0.04.001 Affected: 1.0.04.002 Affected: 1.1.05.003 Affected: 1.2.07.001 |
|
| Linksys | RE6300 |
Affected:
1.0.013.001
Affected: 1.0.04.001 Affected: 1.0.04.002 Affected: 1.1.05.003 Affected: 1.2.07.001 |
|
| Linksys | RE6350 |
Affected:
1.0.013.001
Affected: 1.0.04.001 Affected: 1.0.04.002 Affected: 1.1.05.003 Affected: 1.2.07.001 |
|
| Linksys | RE6500 |
Affected:
1.0.013.001
Affected: 1.0.04.001 Affected: 1.0.04.002 Affected: 1.1.05.003 Affected: 1.2.07.001 |
|
| Linksys | RE7000 |
Affected:
1.0.013.001
Affected: 1.0.04.001 Affected: 1.0.04.002 Affected: 1.1.05.003 Affected: 1.2.07.001 |
|
| Linksys | RE9000 |
Affected:
1.0.013.001
Affected: 1.0.04.001 Affected: 1.0.04.002 Affected: 1.1.05.003 Affected: 1.2.07.001 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9481",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-26T14:40:53.873186Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-26T14:40:57.042Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/wudipjq/my_vuln/blob/main/Linksys/vuln_35/35.md"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/wudipjq/my_vuln/blob/main/Linksys/vuln_35/35.md#poc"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "RE6250",
"vendor": "Linksys",
"versions": [
{
"status": "affected",
"version": "1.0.013.001"
},
{
"status": "affected",
"version": "1.0.04.001"
},
{
"status": "affected",
"version": "1.0.04.002"
},
{
"status": "affected",
"version": "1.1.05.003"
},
{
"status": "affected",
"version": "1.2.07.001"
}
]
},
{
"product": "RE6300",
"vendor": "Linksys",
"versions": [
{
"status": "affected",
"version": "1.0.013.001"
},
{
"status": "affected",
"version": "1.0.04.001"
},
{
"status": "affected",
"version": "1.0.04.002"
},
{
"status": "affected",
"version": "1.1.05.003"
},
{
"status": "affected",
"version": "1.2.07.001"
}
]
},
{
"product": "RE6350",
"vendor": "Linksys",
"versions": [
{
"status": "affected",
"version": "1.0.013.001"
},
{
"status": "affected",
"version": "1.0.04.001"
},
{
"status": "affected",
"version": "1.0.04.002"
},
{
"status": "affected",
"version": "1.1.05.003"
},
{
"status": "affected",
"version": "1.2.07.001"
}
]
},
{
"product": "RE6500",
"vendor": "Linksys",
"versions": [
{
"status": "affected",
"version": "1.0.013.001"
},
{
"status": "affected",
"version": "1.0.04.001"
},
{
"status": "affected",
"version": "1.0.04.002"
},
{
"status": "affected",
"version": "1.1.05.003"
},
{
"status": "affected",
"version": "1.2.07.001"
}
]
},
{
"product": "RE7000",
"vendor": "Linksys",
"versions": [
{
"status": "affected",
"version": "1.0.013.001"
},
{
"status": "affected",
"version": "1.0.04.001"
},
{
"status": "affected",
"version": "1.0.04.002"
},
{
"status": "affected",
"version": "1.1.05.003"
},
{
"status": "affected",
"version": "1.2.07.001"
}
]
},
{
"product": "RE9000",
"vendor": "Linksys",
"versions": [
{
"status": "affected",
"version": "1.0.013.001"
},
{
"status": "affected",
"version": "1.0.04.001"
},
{
"status": "affected",
"version": "1.0.04.002"
},
{
"status": "affected",
"version": "1.1.05.003"
},
{
"status": "affected",
"version": "1.2.07.001"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Bond_yes (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. This affects the function setIpv6 of the file /goform/setIpv6. The manipulation of the argument tunrd_Prefix leads to stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001 gefunden. Hiervon betroffen ist die Funktion setIpv6 der Datei /goform/setIpv6. Die Ver\u00e4nderung des Parameters tunrd_Prefix resultiert in stack-based buffer overflow. Ein Angriff ist aus der Distanz m\u00f6glich. Der Exploit wurde der \u00d6ffentlichkeit bekannt gemacht und k\u00f6nnte verwendet werden."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 9,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "Memory Corruption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-26T13:32:09.115Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-321396 | Linksys RE6250/RE6300/RE6350/RE6500/RE7000/RE9000 setIpv6 stack-based overflow",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.321396"
},
{
"name": "VDB-321396 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.321396"
},
{
"name": "Submit #634819 | Linksys RE6500\u3001RE6250\u3001RE6300\u3001RE6350\u3001RE7000\u3001RE9000 RE6500(1.0.013.001) RE6250(1.0.04.001) RE6300(1.2.07.001) RE6350(1.0.04.001) RE7000(1.1.05.003) RE9000(1.0.04.002) Stack-based Buffer Overflow",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.634819"
},
{
"tags": [
"related"
],
"url": "https://github.com/wudipjq/my_vuln/blob/main/Linksys/vuln_35/35.md"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/wudipjq/my_vuln/blob/main/Linksys/vuln_35/35.md#poc"
},
{
"tags": [
"product"
],
"url": "https://www.linksys.com/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-08-26T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-08-26T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-08-26T09:40:55.000Z",
"value": "VulDB entry last update"
}
],
"title": "Linksys RE6250/RE6300/RE6350/RE6500/RE7000/RE9000 setIpv6 stack-based overflow"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-9481",
"datePublished": "2025-08-26T13:32:09.115Z",
"dateReserved": "2025-08-26T07:35:43.588Z",
"dateUpdated": "2025-08-26T14:40:57.042Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation MIT-10
Operation
Build and Compilation
Strategy: Environment Hardening
- Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking.
- D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail.
Mitigation
Architecture and Design
Use an abstraction library to abstract away risky APIs. Not a complete solution.
Mitigation
Implementation
Implement and perform bounds checking on input.
Mitigation
Implementation
Do not use dangerous functions such as gets. Use safer, equivalent functions which check for boundary errors.
Mitigation MIT-11
Operation
Build and Compilation
Strategy: Environment Hardening
- Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code.
- Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking.
- For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335].
No CAPEC attack patterns related to this CWE.