EUVD-2026-14333
GHSA-c659-rvfg-wgf8
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Tags
Description
A flaw has been found in Linksys MR9600 2.0.6.206937. Affected is the function smartConnectConfigure of the file SmartConnect.lua. Executing a manipulation of the argument configApSsid/configApPassphrase/srpLogin/srpPassword can lead to os command injection. The attack may be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Analysis
Unauthenticated attackers can inject arbitrary operating system commands through manipulated parameters in the SmartConnect configuration function of Linksys MR9600 firmware version 2.0.6.206937, achieving remote code execution with high privileges. Public exploit code is available for this vulnerability, and no patch has been released despite vendor notification. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all Linksys MR9600 devices in production and restrict administrative access to trusted personnel only. Within 7 days: Implement network segmentation to isolate affected routers and deploy WAF/IPS rules to block malicious smartConnectConfigure requests; evaluate firmware alternatives or hardware replacement timelines. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today