| Título | Linksys MR9600 firmware 2.0.6.206937 OS Command Injection |
|---|
| Descrição | An authenticated OS command injection vulnerability exists in Linksys MR9600 firmware 2.0.6.206937 in the SmartConnectConfigure workflow.
In SmartConnect.lua, the smartConnectConfigure function builds a shell command using os.execute(...) with user-controlled fields (e.g., configApSsid, configApPassphrase, srpLogin, srpPassword) concatenated directly into the command string without proper sanitization or strict allowlisting.
By sending crafted input to the JNAP action:
http://linksys.com/jnap/nodes/smartconnect/SmartConnectConfigure
an authenticated attacker can inject shell metacharacters and execute arbitrary commands on the device (root context in my test environment).
Impact: authenticated remote code execution and full device compromise.
Tested on: Linksys MR9600, firmware 2.0.6.206937.
|
|---|
| Fonte | ⚠️ https://github.com/utmost3/cve/issues/1 |
|---|
| Utilizador | wuuu (UID 93536) |
|---|
| Submissão | 08/03/2026 08h11 (há 2 meses) |
|---|
| Moderação | 21/03/2026 21h43 (14 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 352385 [Linksys MR9600 2.0.6.206937 SmartConnect.lua smartConnectConfigure Elevação de Privilégios] |
|---|
| Pontos | 20 |
|---|