{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/mr9600-2.0.6.206937/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-6992"}],"_cs_exploited":false,"_cs_products":["MR9600 (2.0.6.206937)"],"_cs_severities":["critical"],"_cs_tags":["cve-2026-6992","command-injection","router","rce"],"_cs_type":"advisory","_cs_vendors":["Linksys"],"content_html":"\u003cp\u003eA command injection vulnerability, CVE-2026-6992, affects the Linksys MR9600 router, specifically version 2.0.6.206937. The vulnerability resides in the JNAP Action Handler component within the \u003ccode\u003e/etc/init.d/run_central2.sh\u003c/code\u003e script. Attackers can remotely exploit this flaw by manipulating the \u003ccode\u003epin\u003c/code\u003e argument passed to the \u003ccode\u003eBTRequestGetSmartConnectStatus\u003c/code\u003e function. This allows for the execution of arbitrary operating system commands on the affected device. A public exploit is available, increasing the risk of exploitation. The vendor was notified but did not respond.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP request to the Linksys MR9600 router.\u003c/li\u003e\n\u003cli\u003eThe request targets the JNAP Action Handler component, specifically the \u003ccode\u003e/etc/init.d/run_central2.sh\u003c/code\u003e script.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eBTRequestGetSmartConnectStatus\u003c/code\u003e function is invoked by the crafted request.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious OS commands within the \u003ccode\u003epin\u003c/code\u003e argument of the \u003ccode\u003eBTRequestGetSmartConnectStatus\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe router\u0026rsquo;s firmware processes the request, failing to properly sanitize the \u003ccode\u003epin\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe injected OS commands are executed with the privileges of the running process, potentially \u003ccode\u003eroot\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the router, potentially allowing for further malicious activities, such as network traffic interception or modification of router settings.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6992 allows a remote attacker to execute arbitrary commands on the Linksys MR9600 router. This can lead to a complete compromise of the device, allowing the attacker to monitor network traffic, change router configurations, or use the router as a foothold for further attacks within the network. Given the availability of a public exploit, the risk of widespread exploitation is high.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect CVE-2026-6992 Exploitation Attempt\u003c/code\u003e to identify exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eApply the Sigma rule \u003ccode\u003eDetect Suspicious Shell Activity via Web Request\u003c/code\u003e to detect potential command injection attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests containing suspicious characters in the \u003ccode\u003ecs-uri-query\u003c/code\u003e field that target \u003ccode\u003e/etc/init.d/run_central2.sh\u003c/code\u003e to uncover exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-26T12:00:00Z","date_published":"2026-04-26T12:00:00Z","id":"/briefs/2026-04-linksys-rce/","summary":"CVE-2026-6992 is a command injection vulnerability in the Linksys MR9600 router that allows remote attackers to execute arbitrary OS commands by manipulating the 'pin' argument in the BTRequestGetSmartConnectStatus function.","title":"Linksys MR9600 Command Injection Vulnerability (CVE-2026-6992)","url":"https://feed.craftedsignal.io/briefs/2026-04-linksys-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — MR9600 (2.0.6.206937)","version":"https://jsonfeed.org/version/1.1"}