CVE-2026-6992
OS Command Injection in Linksys MR9600 JNAP Action Handler
Publication date: 2026-04-25
Last updated on: 2026-04-30
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linksys | mr9600_firmware | 2.0.6.206937 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-6992 is a command injection vulnerability found in the Linksys MR9600 router, specifically in the BT Smart Connect feature. The flaw exists in the function BTRequestGetSmartConnectStatus within the router's JNAP Action Handler component. An attacker can manipulate the 'pin' argument to inject and execute arbitrary operating system commands remotely.
This vulnerability allows remote attackers to execute commands on the router without user interaction, potentially compromising the device.
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows remote attackers to execute arbitrary commands on the affected router. This can lead to full compromise of the device, including unauthorized access, control over network traffic, data interception, or disruption of network services.
Since the exploit is publicly available and the vendor has not responded, the risk of exploitation is significant.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves command injection via the BT Smart Connect feature exposed through the router's web management interface. Detection can be approached by monitoring for unusual or unauthorized commands executed through this interface.
Since the vulnerability is in the function BTRequestGetSmartConnectStatus of the /etc/init.d/run_central2.sh script, detection might involve checking for suspicious invocations or modifications of this script.
One practical approach is to emulate the router environment as described in the resource to safely analyze and test for the vulnerability.
- Use network monitoring tools to capture HTTP requests to the router's web management interface, especially those targeting the BT Smart Connect feature.
- Check the router logs for any unexpected commands or errors related to /etc/init.d/run_central2.sh.
- If you have shell access, you can verify the integrity and permissions of /etc/init.d/run_central2.sh.
- Commands to check the script permissions and content: `ls -l /etc/init.d/run_central2.sh` and `cat /etc/init.d/run_central2.sh`.
- Monitor network traffic on port 8080 if using the emulated environment or the router's web interface port for suspicious activity.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the router's web management interface to trusted networks or IP addresses to prevent remote exploitation.
Disable the BT Smart Connect feature if possible, as it is the vector for the command injection.
Monitor and audit router logs for any signs of exploitation attempts.
If feasible, emulate the router environment as described to analyze and test patches or workarounds.
Since the vendor has not responded, consider isolating the device from critical networks until a patch or official fix is available.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the CVE-2026-6992 vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.