Description
RadiX AX6600 WiFi 6 Tri-Band Gaming Router contains an OS command injection vulnerability, which may lead to arbitrary command execution with the root privilege by a user who logs in to the web console as an administrator.
Published: 2026-06-17
Score: 8.6 High
EPSS: 1.8% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

RadiX AX6600 WiFi 6 Tri‑Band Gaming Router contains an OS command injection flaw that allows a user authenticated as a web console administrator to inject arbitrary shell commands. This weakness, classified as CWE‑78, can result in full root‑privileged execution on the device, compromising confidentiality, integrity, and availability of the router and any networks it serves. The attacker can gain persistent control of the router, modify network traffic, or pivot to other devices on the internal network.

Affected Systems

MSI RadiX AX6600 WiFi 6 Tri‑Band Gaming Router is affected. No specific firmware version is listed in the advisory, so all released firmware iterations may be vulnerable until a patch is available.

Risk and Exploitability

With a CVSS score of 8.6 and an EPSS score of 2%, the vulnerability is considered high‑risk and has a moderate probability of exploitation. The advisory does not list this CVE in CISA’s KEV catalog, but the OS command injection can be triggered remotely via the web console, and only users with administrator credentials can exploit it. Because the attack requires legitimate admin access, the threat remains largely internal or originates from compromised local users.

Generated by OpenCVE AI on June 18, 2026 at 12:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest firmware update released by MSI that addresses the command injection flaw.
  • Restrict web‑console access to trusted local IP ranges and disable remote administration if not needed.
  • Configure the router to validate or sanitise all user‑supplied input to web‑console fields to prevent injection of shell commands.

Generated by OpenCVE AI on June 18, 2026 at 12:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Msi
Msi radix Ax6600 Wifi 6 Tri-band Gaming Router
Vendors & Products Msi
Msi radix Ax6600 Wifi 6 Tri-band Gaming Router

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Command Injection in MSI RadiX AX6600 Router Leading to Root Privilege Execution
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 06:00:00 +0000

Type Values Removed Values Added
Description RadiX AX6600 WiFi 6 Tri-Band Gaming Router contains an OS command injection vulnerability, which may lead to arbitrary command execution with the root privilege by a user who logs in to the web console as an administrator.
Weaknesses CWE-78
References
Metrics cvssV3_0

{'score': 7.2, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Msi Radix Ax6600 Wifi 6 Tri-band Gaming Router
cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-06-17T14:21:46.407Z

Reserved: 2026-06-10T23:40:13.782Z

Link: CVE-2026-53876

cve-icon Vulnrichment

Updated: 2026-06-17T14:21:42.956Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:05:11Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')