CVE-2026-25603 is a path traversal vulnerability categorized under CWE-22 that affects Linksys MR9600 and MX4200 routers running specific firmware versions (MR9600: 1.0.4.205530; MX4200: 1.0.13.210200). The vulnerability arises from improper limitation of pathname inputs when mounting USB drive partitions, allowing an attacker to mount these partitions at arbitrary locations within the device's filesystem. This can enable execution of malicious shell scripts with root privileges, effectively granting full control over the device. The flaw requires user interaction and local access to the device, such as physical access or network access with USB drive insertion capability. The vulnerability impacts confidentiality, integrity, and availability by allowing unauthorized code execution and potential persistent compromise of the router. Although no exploits are currently known in the wild, the risk remains significant due to the root-level execution capability. The CVSS 3.1 score of 6.6 reflects a medium severity, balancing the high impact with the limited attack vector and requirement for user interaction. This vulnerability underscores the importance of secure input validation and strict access controls on embedded device filesystems, especially for network infrastructure devices like routers.

The exploitation of CVE-2026-25603 can lead to full compromise of affected Linksys routers by enabling attackers to execute arbitrary shell scripts with root privileges. This can result in unauthorized access to network traffic, interception or manipulation of data, disruption of network services, and potential pivoting to other internal systems. Organizations relying on these routers for critical network functions may experience confidentiality breaches, integrity violations, and availability outages. The ability to mount USB partitions arbitrarily also raises the risk of persistent malware installation and stealthy backdoors. Although exploitation requires local or physical access and user interaction, environments with shared physical access or untrusted users are particularly vulnerable. The absence of known exploits in the wild currently limits immediate widespread impact, but targeted attacks against high-value networks remain a concern.

1. Apply firmware updates from Linksys as soon as patches become available to address this vulnerability. 2. Restrict physical access to routers and disable USB ports if not required to prevent unauthorized USB device insertion. 3. Implement network segmentation to limit local network access to management interfaces of affected devices. 4. Monitor router logs and filesystem activity for unusual mount operations or execution of unexpected shell scripts. 5. Employ endpoint security controls to detect and block suspicious USB devices or unauthorized file system changes. 6. Educate users and administrators about the risks of inserting untrusted USB devices into network equipment. 7. Consider deploying network intrusion detection systems to identify anomalous traffic patterns that could indicate exploitation attempts. 8. Maintain an inventory of affected devices and prioritize remediation based on criticality and exposure.