A high-severity vulnerability has been identified in multiple Linksys Wi-Fi extender models, allowing a remote, unauthenticated attacker to potentially take full control of an affected device. Successful exploitation could enable an adversary to intercept network traffic, pivot to other internal network resources, or disrupt network availability. Due to the severity and the widespread use of these devices in both home and business environments, immediate patching is critical.

The vulnerability is an unauthenticated command injection flaw within the web-based administration interface of the affected devices. An attacker on the same network can send a specially crafted HTTP request to a specific, exposed API endpoint. The device fails to properly sanitize user-supplied input within this request, allowing the attacker to inject and execute arbitrary operating system commands with root-level privileges, leading to a complete compromise of the device.

This vulnerability is rated as High severity with a CVSS score of 8.8. A successful exploit grants an attacker complete administrative control over the network extender. This could lead to severe business consequences, including eavesdropping on sensitive network traffic, redirecting users to phishing websites via DNS hijacking, and using the compromised device as a launchpad for further attacks against the internal corporate network. Additionally, compromised devices could be conscripted into a botnet for use in Distributed Denial-of-Service (DDoS) attacks, potentially causing reputational damage and service disruption.

Immediate Action: Organizations must apply the security updates provided by Linksys to all affected devices immediately. After patching, system administrators should review device access and system logs for any signs of unauthorized access or anomalous activity that may have occurred prior to the update.

Proactive Monitoring: Monitor network traffic for unusual outbound connections originating from the Linksys extenders. System administrators should review web administration logs for suspicious GET or POST requests containing shell metacharacters (e.g., ;, |, &&, $()). Monitor for unexpected configuration changes or unscheduled device reboots.

Compensating Controls: If patching cannot be performed immediately, implement the following controls to reduce the risk of exploitation:

• Restrict access to the device's web administration interface to a dedicated and trusted management network segment.
• Ensure that remote (WAN-side) administration is disabled.
• Implement network segmentation to isolate the Wi-Fi extenders from critical business systems and sensitive data stores.

Public Exploit Available: false

Given the High severity (CVSS 8.8) of this vulnerability, we recommend that organizations treat this as a critical priority. All affected Linksys devices must be identified and patched immediately to prevent potential device compromise and subsequent network intrusion. Although this CVE is not currently listed on the CISA KEV list, its high impact warrants immediate action. If patching is delayed, the compensating controls listed above should be implemented without delay to mitigate risk.