Linksys MR9600 exposes admin credentials

Vendor-confirmed - CVE-2026-4558 is a high OS command injection in Linksys MR9600 firmware 2.0.6.206937 that grants remote unauthenticated attackers full device control via the Smart Connect feature. No patch is available; isolate the router immediately.

Overview

A critical security vulnerability, tracked as CVE-2026-4558, has been identified in the Linksys MR9600 dual-band Wi-Fi 6 router. This flaw is an operating system (OS) command injection vulnerability residing in the router’s web management interface. If exploited, it allows a remote attacker to execute arbitrary commands on the device with high privileges.

Vulnerability Details

The vulnerability exists in firmware version 2.0.6.206937. Specifically, it is located in the smartConnectConfigure function within the SmartConnect.lua script. This function handles configuration for the router’s Smart Connect feature, which manages band steering for Wi-Fi networks.

The flaw occurs because the software does not properly validate or sanitize user-supplied input in several parameters (configApSsid, configApPassphrase, srpLogin, srpPassword). An attacker can craft malicious input containing OS commands. When this input is processed by the vulnerable function, the embedded commands are executed by the router’s underlying operating system. The attack can be performed remotely without requiring authentication to the device.

Impact

The impact of this vulnerability is severe (CVSS score 8.8). A successful exploit could allow an attacker to:

• Gain full control of the router.
• Intercept, redirect, or modify network traffic (a man-in-the-middle attack).
• Install persistent malware or backdoors.
• Use the compromised router to launch attacks against other devices on the local network or the wider internet.
• Render the router inoperable.

An exploit for this vulnerability has been made public, significantly increasing the risk of active attacks. The vendor was contacted prior to disclosure but has not provided a response or patch at this time.

Remediation and Mitigation

Primary Action: Immediate Isolation and Monitoring As no official patch is currently available from the vendor, the following mitigation steps are critical:

1. Isolate the Device: If possible, take the affected Linksys MR9600 router offline, especially if it is deployed in a sensitive or business environment.
2. Restrict Access: Ensure the router’s web management interface (admin panel) is not accessible from the internet (WAN). This setting is often labeled “Remote Management” and should be disabled.
3. Monitor Network Traffic: Closely monitor network logs for any unusual outbound connections or suspicious activity originating from the router’s IP address. For context on how such exploits can lead to data theft, you can review historical incidents in our breach reports.

Long-term Solution: Firmware Update Monitor the official Linksys security advisories and support page diligently for a firmware update that addresses CVE-2026-4558. Apply the patch immediately upon release. Do not rely on the auto-update feature; manually check for updates regularly.

Until a fix is provided, consider the continued use of this router in any capacity a high risk. Organizations should evaluate replacing affected devices with a model from a vendor that provides responsive security support. Stay informed on developing threats by following the latest security news.