{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6992", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-24T19:39:58.219Z", "datePublished": "2026-04-25T18:00:20.422Z", "dateUpdated": "2026-04-27T13:34:09.962Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-25T18:00:20.422Z"}, "title": "Linksys MR9600 JNAP Action run_central2.sh BTRequestGetSmartConnectStatus os command injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-78", "lang": "en", "description": "OS Command Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-77", "lang": "en", "description": "Command Injection"}]}], "affected": [{"vendor": "Linksys", "product": "MR9600", "versions": [{"version": "2.0.6.206937", "status": "affected"}], "cpes": ["cpe:2.3:o:linksys:mr9600_firmware:*:*:*:*:*:*:*:*"], "modules": ["JNAP Action Handler"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in Linksys MR9600 2.0.6.206937. This affects the function BTRequestGetSmartConnectStatus of the file /etc/init.d/run_central2.sh of the component JNAP Action Handler. The manipulation of the argument pin leads to os command injection. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.6, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P", "baseSeverity": "HIGH"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 8.3, "vectorString": "AV:N/AC:L/Au:M/C:C/I:C/A:C/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-24T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-24T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-24T21:45:04.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "wuuu (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/359544", "name": "VDB-359544 | Linksys MR9600 JNAP Action run_central2.sh BTRequestGetSmartConnectStatus os command injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/359544/cti", "name": "VDB-359544 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/797086", "name": "Submit #797086 | Linksys MR9600 Firmware 2.0.6.206937 Command Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/utmost3/cve/issues/2", "tags": ["exploit", "issue-tracking"]}, {"url": "https://www.linksys.com/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T13:10:55.443763Z", "id": "CVE-2026-6992", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T13:34:09.962Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6992", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-27T13:10:55.443763Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T13:10:56.743Z"}}], "cna": {"title": "Linksys MR9600 JNAP Action run_central2.sh BTRequestGetSmartConnectStatus os command injection", "credits": [{"lang": "en", "type": "reporter", "value": "wuuu (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB CNA Team"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.6, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 8.3, "vectorString": "AV:N/AC:L/Au:M/C:C/I:C/A:C/E:POC/RL:ND/RC:UR"}}], "affected": [{"cpes": ["cpe:2.3:o:linksys:mr9600_firmware:*:*:*:*:*:*:*:*"], "vendor": "Linksys", "modules": ["JNAP Action Handler"], "product": "MR9600", "versions": [{"status": "affected", "version": "2.0.6.206937"}]}], "timeline": [{"lang": "en", "time": "2026-04-24T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-24T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-24T21:45:04.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/359544", "name": "VDB-359544 | Linksys MR9600 JNAP Action run_central2.sh BTRequestGetSmartConnectStatus os command injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/359544/cti", "name": "VDB-359544 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/797086", "name": "Submit #797086 | Linksys MR9600 Firmware 2.0.6.206937 Command Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/utmost3/cve/issues/2", "tags": ["exploit", "issue-tracking"]}, {"url": "https://www.linksys.com/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in Linksys MR9600 2.0.6.206937. This affects the function BTRequestGetSmartConnectStatus of the file /etc/init.d/run_central2.sh of the component JNAP Action Handler. The manipulation of the argument pin leads to os command injection. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "OS Command Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "Command Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-25T18:00:20.422Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6992", "state": "PUBLISHED", "dateUpdated": "2026-04-27T13:34:09.962Z", "dateReserved": "2026-04-24T19:39:58.219Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-25T18:00:20.422Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linksys:mr9600_firmware:2.0.6.206937:*:*:*:*:*:*:*", "matchCriteriaId": "BA0B75FC-F09F-4981-AEAB-E1A207E8A21E", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:linksys:mr9600:-:*:*:*:*:*:*:*", "matchCriteriaId": "EEF496D6-F5A4-4859-9BAC-016EB64A701C", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in Linksys MR9600 2.0.6.206937. This affects the function BTRequestGetSmartConnectStatus of the file /etc/init.d/run_central2.sh of the component JNAP Action Handler. The manipulation of the argument pin leads to os command injection. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-6992", "lastModified": "2026-04-30T14:09:56.830", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "MULTIPLE", "availabilityImpact": "COMPLETE", "baseScore": 8.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:M/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 6.4, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-25T18:16:19.413", "references": [{"source": "cna@vuldb.com", "tags": ["Exploit", "Third Party Advisory", "Issue Tracking"], "url": "https://github.com/utmost3/cve/issues/2"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/submit/797086"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/vuln/359544"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/vuln/359544/cti"}, {"source": "cna@vuldb.com", "tags": ["Product"], "url": "https://www.linksys.com/"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}, {"lang": "en", "value": "CWE-78"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.0.6.206937"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "MR9600", "source": "cna", "vendor": "Linksys"}, "product": "mr9600", "vendor": "linksys"}], "analysis": {"en": {"generated_at": "2026-04-28T05:30:51.111600+00:00", "value": {"mitigation_remediation": ["Apply the latest firmware update available from Linksys that addresses the command injection.", "If a firmware update is not yet released, restrict or disable the JNAP interface or the BTRequestGetSmartConnectStatus action via router settings or firewall rules.", "Monitor device logs for suspicious JNAP activity and enforce network segmentation around the router to limit potential lateral movement."], "summary": {"action": "Immediate Patch", "impact": "remote command execution"}, "threat_synthesis": {"affected_systems": "The flaw affects the Linksys MR9600, specifically firmware 2.0.6.206937. Other firmware variants may also be susceptible if they include the same vulnerable /etc/init.d/run_central2.sh script. Because the vulnerability resides in the router's JNAP interface, any device accessed through that interface could be impacted.", "description_and_impact": "The vulnerability is an OS command injection in the BTRequestGetSmartConnectStatus action of the JNAP Action Handler on the Linksys MR9600 router. By supplying a specially crafted pin argument, an attacker can inject arbitrary system commands that are executed with the privileges of the router\u2019s firmware. This allows remote attackers to compromise the entire device, gaining full control over the system, exfiltrating data, installing malware, or disrupting network operation.", "risk_and_exploitability": "The CVSS score of 8.6 indicates high severity, and the EPSS score of less than 1% suggests a low probability of widespread exploitation in the short term. However, the exploit code is publicly available, and there is no known mitigation in CISA KEV. The attack is remote and can be launched over the network by sending a request to the JNAP endpoint that triggers the vulnerable action, making it highly actionable to attackers with network visibility to the device."}}}}, "created": "2026-04-27T18:45:11.309248+00:00", "updated": "2026-04-28T05:45:23.286928+00:00", "vendors": ["linksys", "linksys$PRODUCT$mr9600"]}