CVE-2026-4558 is an OS command injection vulnerability identified in the Linksys MR9600 router firmware version 2.0.6.206937. The vulnerability resides in the smartConnectConfigure function of the SmartConnect.lua script, which processes configuration parameters including configApSsid, configApPassphrase, srpLogin, and srpPassword. Improper input validation allows an attacker to inject arbitrary OS commands remotely by manipulating these parameters. This flaw can be exploited over the network without requiring authentication or user interaction, significantly increasing the attack surface. The vulnerability has a CVSS 4.0 base score of 8.7, reflecting its high severity due to ease of exploitation and the potential for full system compromise. The vendor was informed early but has not responded or released a patch, and proof-of-concept exploit code is publicly available, raising the likelihood of active exploitation. Successful exploitation could allow attackers to execute arbitrary commands with elevated privileges on the router, leading to control over device functionality, interception or manipulation of network traffic, and potential pivoting to internal networks. The lack of vendor response and patch availability makes this a critical concern for organizations relying on this hardware for secure network connectivity.

The impact of CVE-2026-4558 is substantial for organizations using the Linksys MR9600 router. Exploitation can lead to full compromise of the device, allowing attackers to execute arbitrary commands with elevated privileges. This can result in unauthorized access to internal networks, interception or modification of sensitive data, disruption of network services, and use of the compromised router as a foothold for further attacks. Given the router’s role in managing wireless connectivity and network traffic, the confidentiality, integrity, and availability of organizational networks are at significant risk. The vulnerability’s remote, unauthenticated exploitability increases the likelihood of widespread attacks, especially since exploit code is publicly available. Organizations without timely mitigation may face data breaches, service outages, and potential regulatory or reputational damage. The absence of a vendor patch exacerbates the risk, requiring immediate defensive actions to prevent exploitation.

In the absence of an official patch from Linksys, organizations should implement several specific mitigations to reduce risk. First, isolate the affected MR9600 routers from untrusted networks by restricting remote management access via firewall rules and network segmentation. Disable any remote configuration services or interfaces that expose the smartConnectConfigure functionality. Monitor network traffic for unusual or suspicious requests targeting the router’s configuration endpoints. Employ intrusion detection systems (IDS) or intrusion prevention systems (IPS) with signatures tuned to detect known exploit patterns related to this vulnerability. Where possible, replace affected devices with alternative hardware not impacted by this flaw. Regularly audit router configurations and logs for signs of compromise. Additionally, consider deploying network-level protections such as VPNs and strong authentication to limit exposure. Maintain heightened vigilance for any updates from Linksys and apply patches immediately upon release. Finally, educate network administrators about this vulnerability and the importance of rapid incident response.