CVE-2026-4558 is an OS command injection vulnerability identified in the Linksys MR9600 router firmware version 2.0.6.206937. The vulnerability resides in the smartConnectConfigure function of the SmartConnect.lua script, which processes configuration parameters such as configApSsid, configApPassphrase, srpLogin, and srpPassword. Improper input validation or sanitization in these parameters allows an attacker to inject arbitrary operating system commands. Since the vulnerability can be triggered remotely over the network without requiring user interaction and only low privileges, it enables attackers to execute commands on the underlying operating system with potentially high impact on device control. The CVSS 4.0 base score is 8.7, reflecting high severity due to network attack vector, low attack complexity, no privileges required, and no user interaction needed. The vulnerability affects a widely used consumer and small business router model, which is often deployed in home and enterprise edge networks. Despite early notification, Linksys has not responded or released patches, and proof-of-concept exploits have been published publicly, increasing the risk of exploitation. This vulnerability could allow attackers to compromise device integrity, intercept or manipulate network traffic, or pivot into internal networks.

The impact of CVE-2026-4558 is significant for organizations and individuals using the Linksys MR9600 router with the vulnerable firmware. Successful exploitation allows remote attackers to execute arbitrary OS commands, potentially leading to full device compromise. This can result in unauthorized access to internal networks, interception of sensitive data, disruption of network services, and deployment of persistent malware or backdoors. Given the router's role as a network gateway, attackers could leverage this vulnerability to pivot into corporate or home networks, compromising additional systems. The lack of vendor response and available public exploits increases the likelihood of active exploitation, raising risks for confidentiality, integrity, and availability of network communications. Organizations relying on this router model may face operational disruptions, data breaches, and reputational damage if exploited.

Since no official patch or update has been released by Linksys, organizations should implement immediate compensating controls. These include isolating the affected routers from untrusted networks, restricting remote management access via firewall rules or VPNs, and disabling the smartConnect feature if possible. Network monitoring should be enhanced to detect unusual command execution or configuration changes. Where feasible, replace the affected routers with alternative devices from vendors with active security support. Additionally, organizations should enforce strong network segmentation to limit lateral movement if a device is compromised. Regularly review and update router firmware once a vendor patch becomes available. Employ intrusion detection systems capable of identifying command injection attempts targeting router management interfaces.