Linksys MR9600 RCE: Critical OS Command Injection Vulnerability
A high-severity OS command injection vulnerability, tracked as CVE-2026-6992, has been identified in Linksys MR9600 firmware version 2.0.6.206937. According to the National Vulnerability Database, this flaw resides in the BTRequestGetSmartConnectStatus function within the /etc/init.d/run_central2.sh script, part of the JNAP Action Handler component.
Attackers can exploit this by manipulating the pin argument, leading to arbitrary OS command execution. The attack can be initiated remotely, and the National Vulnerability Database confirms that a public exploit is available, increasing the immediate risk. Linksys was reportedly contacted regarding this disclosure but has not yet responded.
With a CVSSv3.1 score of 7.2 (HIGH), this vulnerability presents a significant risk for organizations and individuals using the affected Linksys MR9600 routers. Given the remote exploitability and public availability of attack code, these devices are prime targets for initial access and broader network compromise.
What This Means For You
- If your organization or home office uses a Linksys MR9600 router, especially firmware version 2.0.6.206937, you are directly exposed to CVE-2026-6992. Immediately isolate these devices from critical networks, search for vendor advisories, and prepare to patch as soon as a fix is released. Assume compromise if you cannot patch immediately, and monitor network traffic for any anomalous activity originating from these devices.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Linksys MR9600 OS Command Injection via BTRequestGetSmartConnectStatus - CVE-2026-6992
title: Linksys MR9600 OS Command Injection via BTRequestGetSmartConnectStatus - CVE-2026-6992
id: scw-2026-04-25-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2026-6992 by targeting the BTRequestGetSmartConnectStatus function in Linksys MR9600 devices. The vulnerability allows OS command injection through manipulation of the 'pin' parameter in the JNAP Action Handler. This rule specifically looks for the vulnerable URI path and the presence of the 'pin=' parameter in the query string, indicating a potential exploit attempt.
author: SCW Feed Engine (AI-generated)
date: 2026-04-25
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-6992/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/JNAP/BTRequestGetSmartConnectStatus'
cs-uri-query|contains:
- 'pin='
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-6992 | Command Injection | Linksys MR9600 version 2.0.6.206937 |
| CVE-2026-6992 | Command Injection | Vulnerable function: BTRequestGetSmartConnectStatus |
| CVE-2026-6992 | Command Injection | Vulnerable file: /etc/init.d/run_central2.sh |
| CVE-2026-6992 | Command Injection | Vulnerable component: JNAP Action Handler |
| CVE-2026-6992 | Command Injection | Manipulation of argument: pin |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 25, 2026 at 21:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-6994 — A weakness has been identified in Envoy up to 1.33.0.
CVE-2026-6994 — A weakness has been identified in Envoy up to 1.33.0. Affected is the function params.add of the file source/extensions/filters/http/header_mutation/header_mutation.cc of the component Query...
CVE-2026-6993 — Go-Kratos Kratos Vulnerability
CVE-2026-6993 — A security flaw has been discovered in go-kratos kratos up to 2.9.2. This impacts the function NewServer of the file transport/http/server.go of the...
CVE-2026-6991 — SQL Injection
CVE-2026-6991 — A vulnerability was determined in colinhacks Zod up to 4.3.6. The impacted element is an unknown function of the file packages/zod/src/v4/core/regexes.ts of the...