Description
A flaw has been found in Linksys MR9600 2.0.6.206937. Affected is the function smartConnectConfigure of the file SmartConnect.lua. Executing a manipulation of the argument configApSsid/configApPassphrase/srpLogin/srpPassword can lead to os command injection. The attack may be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-22
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an OS command injection flaw in the smartConnectConfigure function of SmartConnect.lua. By manipulating the configuration parameters configApSsid, configApPassphrase, srpLogin, or srpPassword a remote attacker can execute arbitrary operating‑system commands, compromising confidentiality, integrity, and availability of the device. This is an instance of CWE-77 and CWE-78 weaknesses.

Affected Systems

Linksys MR9600 routers running firmware version 2.0.6.206937 are affected.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity. No EPSS score is reported, and the vulnerability is not listed in the KEV catalog. An exploit has already been published and can be triggered remotely without local authentication. Based on the description, the likely attack vector is a remote HTTP or web service request that passes malicious input to the SmartConnect configuration endpoint. The risk remains substantial if the device is exposed to untrusted networks.

Generated by OpenCVE AI on March 22, 2026 at 18:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the MR9600 firmware to a version that fixes the command injection flaw.
  • If an update is not immediately available, block or restrict external access to the SmartConnect configuration interface.
  • Monitor device logs for anomalous command execution attempts.

Generated by OpenCVE AI on March 22, 2026 at 18:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Linksys mr9600
Vendors & Products Linksys mr9600

Sun, 22 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description A flaw has been found in Linksys MR9600 2.0.6.206937. Affected is the function smartConnectConfigure of the file SmartConnect.lua. Executing a manipulation of the argument configApSsid/configApPassphrase/srpLogin/srpPassword can lead to os command injection. The attack may be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Linksys MR9600 SmartConnect.lua smartConnectConfigure os command injection
First Time appeared Linksys
Linksys mr9600 Firmware
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:o:linksys:mr9600_firmware:*:*:*:*:*:*:*:*
Vendors & Products Linksys
Linksys mr9600 Firmware
References
Metrics cvssV2_0

{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Linksys Mr9600 Mr9600 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-23T16:06:52.992Z

Reserved: 2026-03-21T20:47:50.172Z

Link: CVE-2026-4558

cve-icon Vulnrichment

Updated: 2026-03-23T16:06:48.664Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-22T18:16:06.023

Modified: 2026-03-23T14:31:37.267

Link: CVE-2026-4558

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:50:22Z

Weaknesses