VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 2, 2025· Updated Jun 2, 2025

Linksys RE6500/RE6250/RE6300/RE6350/RE7000/RE9000 RP_checkCredentialsByBBS os command injection

CVE-2025-5446

Description

A vulnerability was found in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. It has been classified as critical. This affects the function RP_checkCredentialsByBBS of the file /goform/RP_checkCredentialsByBBS. The manipulation of the argument pwd leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected products

12
  • Linksys/RE6500llm-fuzzy
    Range: 1.0.013.001
  • Linksys/RE7000llm-fuzzy
    Range: 1.2.07.001
  • Linksys/RE9000llm-fuzzy
    Range: 1.2.07.001
  • Linksys/RE6300llm-fuzzy
    Range: 1.0.04.002
  • Linksys/RE6250llm-fuzzy
    Range: 1.0.04.001
  • Linksys/RE6350llm-fuzzy
    Range: 1.1.05.003
  • Linksys/RE6250v5
    Range: 1.0.013.001
  • Linksys/RE6300v5
    Range: 1.0.013.001
  • Linksys/RE6350v5
    Range: 1.0.013.001
  • Linksys/RE6500v5
    Range: 1.0.013.001
  • Linksys/RE7000v5
    Range: 1.0.013.001
  • Linksys/RE9000v5
    Range: 1.0.013.001

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.