CVE-2026-25603
Path Traversal in Linksys MR9600/MX4200 Enables Root Shell Execution
Publication date: 2026-02-24
Last updated on: 2026-02-26
Assigner: ENISA
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linksys | mr9600_firmware | 1.0.4.205530 |
| linksys | mx4200_firmware | 1.0.4.205530 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'This vulnerability is a path traversal issue affecting Linksys MR9600 and MX4200 Wi-Fi mesh routers. It occurs because the script responsible for mounting USB drive partitions shared via SMB does not properly sanitize the partition names. An attacker can name a USB partition with special path elements like "../" to cause the system to mount the partition in an arbitrary location in the file system.'}, {'type': 'paragraph', 'content': 'For example, by naming a USB partition "../../tmp/cron/cron.everyminute" and placing a malicious shell script on it, the router mounts the partition in a cron directory where scripts are executed regularly. This leads to execution of the attacker\'s shell script with root privileges, effectively allowing remote code execution as root.'}] [1]
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows an attacker to execute arbitrary shell scripts with root privileges on the affected router. This means the attacker can take full control of the device remotely by inserting a specially crafted USB drive.
- Remote code execution as root user
- Potential full compromise of the router
- Ability to execute malicious commands or scripts on the device
- Possible network compromise or further attacks on connected devices
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the device mounts USB partitions with path traversal strings that allow mounting in arbitrary filesystem locations. Specifically, look for mounts under /tmp/anon_smb/ that include special path elements like "../".'}, {'type': 'paragraph', 'content': 'You can inspect the mount points on the device to see if any USB partitions are mounted outside the expected directory. For example, use the command:'}, {'type': 'list_item', 'content': 'mount | grep /tmp/anon_smb/'}, {'type': 'paragraph', 'content': 'Additionally, check for suspicious directory names or mounts that include path traversal sequences such as "../../" which could indicate exploitation attempts.'}, {'type': 'paragraph', 'content': 'You may also want to check the contents of the /etc/init.d/service_tsmb.sh script for improper sanitization of mount paths.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
As of the public disclosure date, no fix or mitigation has been provided by the manufacturer.
Immediate steps include avoiding the use of USB drives on affected devices (Linksys MR9600 version 1.0.4.205530 and MX4200 version 1.0.13.210200) to prevent an attacker from exploiting the path traversal vulnerability.
Monitor the device for any suspicious mounts or unexpected execution of scripts, and restrict physical access to the device to prevent unauthorized USB insertion.
Consider isolating the affected devices from untrusted networks until a patch or official mitigation is released.