critical advisory March 23, 2026

Linksys MR9600 SmartConnect OS Command Injection (CVE-2026-4558)

A remote OS command injection vulnerability exists in the Linksys MR9600 router version 2.0.6.206937, allowing attackers to execute arbitrary commands by manipulating specific function arguments via the SmartConnect.lua file.

CVE-2026-4558 is a critical vulnerability affecting Linksys MR9600 routers, specifically version 2.0.6.206937. The flaw resides within the smartConnectConfigure function of the SmartConnect.lua file. Attackers can remotely inject OS commands by manipulating the configApSsid, configApPassphrase, srpLogin, or srpPassword arguments. Publicly available exploits exist, increasing the risk of exploitation. The vendor was notified but has not yet provided a patch or response, leaving users…

Detection coverage 2

Linksys MR9600 Command Injection Attempt

critical

Detects suspicious HTTP requests attempting to exploit the command injection vulnerability in Linksys MR9600 via SmartConnect.lua

sigma tactics: command_and_control, execution techniques: T1059.004, T1071.001 sources: webserver, linux

Linksys MR9600 Network Exploit

high

Detects network connections associated with potential exploitation of Linksys MR9600 command injection.

sigma tactics: initial_access techniques: T1190 sources: network_connection, firewall

Detection queries are kept inside the platform. Get full rules →