Introduction
An unauthenticated scan of the internet will still find Linksys MR9600 routers exposed on WAN interfaces, and a newly disclosed command injection flaw means any of those running firmware 2.0.6.206937 can be rooted with a single crafted JNAP request. CVE-2026-6992 is particularly concerning because the MR9600 reached End of Life on December 11, 2023, the vendor has not responded to the disclosure, and a complete exploit chain (including reverse shell) is already public.
Technical Information
The vulnerability is a textbook case of unquoted shell variable expansion leading to OS command injection (CWE-78). The data flow begins at the Linksys JNAP API entry point and traverses multiple Lua scripts before reaching a shell script that executes attacker controlled input without any sanitization.
JNAP Request Handling
The JNAP API on Linksys routers uses the X-JNAP-Action HTTP header to route requests to specific handler functions. One important operational detail: JNAP requests typically return a 200 OK status code even when errors occur, which can complicate traditional HTTP based monitoring and detection.
Execution Path
The vulnerable data flow passes through three distinct components:
| Component | File | Behavior |
|---|---|---|
| JNAP Entry Point | btsmartconnect.lua | The btRequestGetSmartConnectStatus function accepts the attacker controlled pin argument directly from the HTTP request body. |
| Command Builder | bluetooth.lua | The btGetSmartConnectStatus2 function passes the pin to btRunCentralCommand2, which concatenates it into a command string executed via io.popen. |
| Shell Execution | /etc/init.d/run_central2.sh | The script concatenates arguments into an OPTION variable and executes /usr/bin/btsetup_central $OPTION without quoting, allowing injected commands to run. |
The core issue is in run_central2.sh. Because the $OPTION variable is not quoted when passed to the shell, any shell metacharacters embedded in the pin value break out of the intended command context. A payload structured as a ; <arbitrary command> ; # results in the arbitrary command executing as root.
Exploit Preconditions
Two conditions must be met for successful exploitation:
- Authentication: The attacker must hold valid credentials for the JNAP API. In practice, the default credentials (
admin/admin) are frequently left unchanged on consumer deployments, and the public exploit uses these defaults. - Device Mode: The router must be operating in
Mastermode for the vulnerable Bluetooth Smart Connect code path to be reachable.
Attack Flow
The publicly available exploit automates the full chain:
- Authenticate to the JNAP API using default (or known) credentials.
- Switch the device into Master mode via a JNAP action, enabling the vulnerable code path.
- Send a crafted
pinvalue containing shell metacharacters to theBTRequestGetSmartConnectStatusaction, staging a helper CGI script on the filesystem. - Trigger the staged CGI to spawn a reverse shell, granting the attacker interactive root access.
The entire sequence requires no manual intervention once the script is launched.
Affected Systems and Versions
The confirmed affected configuration is:
- Product: Linksys MR9600
- Firmware Version: 2.0.6.206937
- Vulnerable Component: JNAP Action Handler, specifically the
BTRequestGetSmartConnectStatusfunction in/etc/init.d/run_central2.sh - Required Configuration: Device must be in Master mode (can be set programmatically via JNAP)
The Linksys MR9600 reached End of Life on December 11, 2023. No other firmware versions have been confirmed as affected or unaffected in the available materials.
Vendor Security History
The same firmware version (2.0.6.206937) for the MR9600 contains at least one other documented vulnerability: CVE-2026-4558, which affects the smartConnectConfigure function in SmartConnect.lua. Both flaws reside within the Smart Connect feature set, suggesting a pattern of insufficient input validation across this subsystem rather than an isolated oversight.
Linksys maintains a Vulnerability Disclosure Program, but the researchers behind CVE-2026-6992 reported that the vendor was contacted early and did not respond in any way. Historically, Linksys devices have also been targeted by large scale automated threats such as The Moon worm, which exploited authentication bypass flaws in Linksys routers to self replicate across the internet in 2014.
References
- NVD Entry for CVE-2026-6992
- GitHub Issue: Linksys MR9600 BT Smart Connect Command Injection Vulnerability
- VulDB Submission
- VulDB CTI Entry
- Linksys Official Site
- Linksys Product End of Life Page
- Linksys Security and Vulnerability Disclosure
- GHSA Advisory for CVE-2026-4558
- The Moon Worm Spreading on Linksys Routers (The Hacker News)
- Worm Called The Moon Infects Linksys Routers (CSO Online)
