| Title | Linksys MR9600 firmware 2.0.6.206937 OS Command Injection |
|---|
| Description | An authenticated OS command injection vulnerability exists in Linksys MR9600 firmware 2.0.6.206937 in the SmartConnectConfigure workflow.
In SmartConnect.lua, the smartConnectConfigure function builds a shell command using os.execute(...) with user-controlled fields (e.g., configApSsid, configApPassphrase, srpLogin, srpPassword) concatenated directly into the command string without proper sanitization or strict allowlisting.
By sending crafted input to the JNAP action:
http://linksys.com/jnap/nodes/smartconnect/SmartConnectConfigure
an authenticated attacker can inject shell metacharacters and execute arbitrary commands on the device (root context in my test environment).
Impact: authenticated remote code execution and full device compromise.
Tested on: Linksys MR9600, firmware 2.0.6.206937.
|
|---|
| Source | ⚠️ https://github.com/utmost3/cve/issues/1 |
|---|
| User | wuuu (UID 93536) |
|---|
| Submission | 03/08/2026 08:11 (30 days ago) |
|---|
| Moderation | 03/21/2026 21:43 (14 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 352385 [Linksys MR9600 2.0.6.206937 SmartConnect.lua smartConnectConfigure os command injection] |
|---|
| Points | 20 |
|---|