CVE-2025-5439

Name of the Vulnerable Software and Affected Versions Linksys RE6500 versions 1.0.013.001 through 1.2.07.001 Linksys RE6250 versions 1.0.013.001 through 1.2.07.001 Linksys RE6300 versions 1.0.013.001 through 1.2.07.001 Linksys RE6350 versions 1.0.013.001 through 1.2.07.001 Linksys RE7000 versions 1.0.013.001 through 1.2.07.001 Linksys RE9000 versions 1.0.013.001 through 1.2.07.001

Description A critical issue was found in the function verifyFacebookLike of the file /goform/verifyFacebookLike. The manipulation of the arguments uid and accessToken leads to os command injection. This issue can be exploited remotely. The exploit has been disclosed to the public.

Recommendations For Linksys RE6500 versions 1.0.013.001 through 1.2.07.001, consider disabling the verifyFacebookLike function until a patch is available. For Linksys RE6250 versions 1.0.013.001 through 1.2.07.001, consider disabling the verifyFacebookLike function until a patch is available. For Linksys RE6300 versions 1.0.013.001 through 1.2.07.001, consider disabling the verifyFacebookLike function until a patch is available. For Linksys RE6350 versions 1.0.013.001 through 1.2.07.001, consider disabling the verifyFacebookLike function until a patch is available. For Linksys RE7000 versions 1.0.013.001 through 1.2.07.001, consider disabling the verifyFacebookLike function until a patch is available. For Linksys RE9000 versions 1.0.013.001 through 1.2.07.001, consider disabling the verifyFacebookLike function until a patch is available. Avoid using the arguments uid and accessToken in the affected API endpoint until the issue is resolved.