CVE-2026-25603 is a CWE-22 path traversal vulnerability identified in Linksys MR9600 and MX4200 routers, specifically in firmware versions MR9600 1.0.4.205530 and MX4200 1.0.13.210200. The vulnerability arises from improper limitation of pathname inputs when mounting USB drive partitions, allowing an attacker to mount these partitions at arbitrary locations within the device's file system. This can lead to execution of shell scripts with root privileges, effectively granting full control over the router's operating system. The attack vector is network-based (AV:P - adjacent network), requiring low attack complexity (AC:L) and no privileges (PR:N), but it does require user interaction (UI:R), such as convincing a user to connect a malicious USB device or trigger the mounting process. The vulnerability impacts confidentiality, integrity, and availability, as an attacker can execute arbitrary code, potentially intercept or manipulate network traffic, disrupt service, or pivot to other network assets. No known exploits have been reported in the wild yet, but the potential for exploitation is significant due to root-level execution. The absence of patches at the time of publication increases risk. This vulnerability highlights the importance of secure input validation and strict pathname restrictions in embedded device firmware, especially for network infrastructure devices like routers.

The potential impact of CVE-2026-25603 is substantial for organizations relying on affected Linksys routers. Successful exploitation can lead to full system compromise, allowing attackers to execute arbitrary commands as root. This can result in interception or manipulation of sensitive network traffic, disruption of network availability, and establishment of persistent backdoors. Organizations in sectors such as telecommunications, government, healthcare, and critical infrastructure that use these routers may face severe operational and data confidentiality risks. Additionally, compromised routers can serve as footholds for lateral movement within internal networks, increasing the scope of potential damage. The requirement for user interaction somewhat limits remote exploitation but does not eliminate risk, especially in environments where USB devices are commonly connected or network access is shared. The medium CVSS score reflects the balance between ease of exploitation and impact severity. However, the root-level code execution elevates the threat beyond typical medium vulnerabilities, warranting prompt attention.

1. Monitor Linksys official channels for firmware updates addressing this vulnerability and apply patches immediately upon release. 2. Until patches are available, disable or restrict USB port usage on affected routers to prevent mounting of unauthorized USB devices. 3. Implement network segmentation to limit access to router management interfaces to trusted administrators only. 4. Employ strict access control and monitoring on network segments where these routers operate to detect unusual mounting or execution activities. 5. Educate users and administrators about the risks of connecting unknown USB devices to network infrastructure equipment. 6. Use network intrusion detection systems (NIDS) to identify suspicious activities related to USB mounting or shell script execution. 7. Regularly audit router configurations and logs for signs of exploitation attempts. 8. Consider deploying alternative hardware or firmware solutions with stronger security postures if immediate patching is not feasible.