Skip to main content
CVE Vulnerability Database

CVE-2026-6992: Linksys MR9600 Firmware RCE Vulnerability

CVE-2026-6992 is a remote code execution vulnerability in Linksys MR9600 Firmware caused by OS command injection in the JNAP Action Handler. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-6992 Overview

A critical OS command injection vulnerability has been identified in the Linksys MR9600 router firmware version 2.0.6.206937. This vulnerability affects the BTRequestGetSmartConnectStatus function within the /etc/init.d/run_central2.sh script, which is part of the JNAP Action Handler component. By manipulating the pin argument, an authenticated attacker with high privileges can inject arbitrary operating system commands that execute in the context of the router's operating system.

The vulnerability is remotely exploitable over the network, and exploit code is publicly available. The vendor (Linksys) was contacted during responsible disclosure but did not respond.

Critical Impact

Successful exploitation allows remote attackers with administrative access to execute arbitrary system commands on the affected Linksys MR9600 router, potentially leading to complete device compromise, network infiltration, or use of the device in botnet activities.

Affected Products

  • Linksys MR9600 Firmware version 2.0.6.206937
  • Linksys MR9600 Hardware
  • linksys mr9600_firmware

Discovery Timeline

  • 2026-04-25 - CVE-2026-6992 published to NVD
  • 2026-04-30 - Last updated in NVD database

Technical Details for CVE-2026-6992

Vulnerability Analysis

This command injection vulnerability (CWE-77) exists in the JNAP Action Handler component of the Linksys MR9600 router. The vulnerable function BTRequestGetSmartConnectStatus processes user-supplied input from the pin parameter without adequate sanitization or validation before passing it to system shell commands.

The attack requires network access and high privileges (typically administrative authentication), but once those conditions are met, exploitation is straightforward with low attack complexity and no user interaction required. The vulnerability has a complete impact on confidentiality, integrity, and availability of the affected device, meaning an attacker can read sensitive data, modify system configurations, and disrupt router operations entirely.

Root Cause

The root cause of this vulnerability is improper neutralization of special elements used in OS commands. The BTRequestGetSmartConnectStatus function in /etc/init.d/run_central2.sh fails to properly sanitize the pin argument before incorporating it into shell command execution. This allows specially crafted input containing shell metacharacters to break out of the intended command context and execute arbitrary commands.

Attack Vector

The attack vector is network-based, targeting the JNAP (JSON API for Network Access Points) interface on the Linksys MR9600 router. An attacker with administrative credentials can send a malicious JNAP request to the BTRequestGetSmartConnectStatus action with a crafted pin parameter containing OS command injection payloads.

The attack flow typically involves:

  1. Authenticating to the router's administrative interface
  2. Sending a JNAP request to the vulnerable action handler
  3. Including shell metacharacters and commands in the pin parameter
  4. The injected commands execute with the privileges of the router's web service process

Additional technical details and proof-of-concept information are available through the GitHub Issue Discussion and VulDB Vulnerability #359544.

Detection Methods for CVE-2026-6992

Indicators of Compromise

  • Unexpected outbound network connections from the router to unfamiliar IP addresses
  • Unusual process execution or shell activity logged in router diagnostics
  • Modified router configuration files, especially in /etc/init.d/ directory
  • Presence of unauthorized SSH keys or new administrative accounts
  • Router exhibiting signs of being part of a botnet (scanning, DDoS traffic)

Detection Strategies

  • Monitor JNAP API requests for anomalous patterns, particularly requests to BTRequestGetSmartConnectStatus with suspicious pin parameter values
  • Implement network intrusion detection rules to identify command injection patterns in HTTP traffic destined for Linksys router management ports
  • Review router access logs for repeated authentication attempts followed by JNAP action requests
  • Deploy network traffic analysis to detect unusual command-and-control communication patterns from router IP addresses

Monitoring Recommendations

  • Enable comprehensive logging on the router if available and forward logs to a centralized SIEM
  • Monitor for firmware integrity changes using periodic hash verification of critical system files
  • Implement network segmentation to isolate IoT and router management interfaces from general network traffic
  • Configure alerts for administrative access to the router from unexpected source IP addresses

How to Mitigate CVE-2026-6992

Immediate Actions Required

  • Restrict administrative access to the Linksys MR9600 to trusted internal IP addresses only using firewall rules
  • Disable remote management features if not absolutely required
  • Ensure strong, unique administrative credentials are in place
  • Monitor for and apply any firmware updates from Linksys when available
  • Consider network segmentation to limit lateral movement if the device is compromised

Patch Information

As of the last modification date (2026-04-30), no official patch has been released by Linksys. The vendor was contacted during responsible disclosure but did not respond. Users should monitor the Linksys Security Page for future security advisories and firmware updates.

Organizations using the affected device should implement compensating controls and consider device replacement if no patch becomes available. For additional vulnerability context, refer to VulDB CTI for #359544.

Workarounds

  • Disable the JNAP interface or restrict access to it through firewall rules if the SmartConnect functionality is not required
  • Implement a reverse proxy or web application firewall (WAF) in front of the router's management interface to filter malicious requests
  • Place the router behind a VPN gateway and require VPN authentication before administrative access
  • Monitor and alert on any JNAP API calls to the BTRequestGetSmartConnectStatus function

Network administrators can implement access control lists to restrict management interface access:

bash
# Example iptables rules to restrict router management access
# Allow management access only from trusted admin subnet
iptables -A INPUT -p tcp --dport 80 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.