CVE-2026-6992
Published: 25 April 2026
Summary
CVE-2026-6992 is a high-severity Command Injection (CWE-77) vulnerability in Linksys Mr9600 Firmware. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 39.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly prevents OS command injection by validating and sanitizing untrusted inputs like the manipulated 'pin' argument in the JNAP Action Handler.
SI-2 ensures timely identification, reporting, and patching of flaws such as the command injection vulnerability in the router firmware.
RA-5 mandates vulnerability scanning to detect and remediate publicly disclosed issues like CVE-2026-6992 with available exploits.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in public-facing router JNAP interface enables T1190 (Exploit Public-Facing Application) for remote access and T1059.004 (Unix Shell) for arbitrary command execution on Linux-based firmware.
NVD Description
A vulnerability was identified in Linksys MR9600 2.0.6.206937. This affects the function BTRequestGetSmartConnectStatus of the file /etc/init.d/run_central2.sh of the component JNAP Action Handler. The manipulation of the argument pin leads to os command injection. The attack may be initiated remotely.…
more
The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2026-6992 is an OS command injection vulnerability (CWE-77, CWE-78) affecting the Linksys MR9600 router on firmware version 2.0.6.206937. The issue resides in the BTRequestGetSmartConnectStatus function within the file /etc/init.d/run_central2.sh of the JNAP Action Handler component, where manipulation of the "pin" argument enables command injection.
The vulnerability is exploitable remotely over the network (AV:N) with low attack complexity (AC:L), though it requires high privileges (PR:H) and no user interaction (UI:N). Successful exploitation grants high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), corresponding to a CVSS v3.1 base score of 7.2, allowing privileged remote attackers to execute arbitrary OS commands on the device.
Advisories from sources like VulDB indicate the vendor (Linksys) was contacted early about the disclosure but provided no response or patches. An exploit is publicly available, as documented in a GitHub issue and VulDB entries, increasing the risk of active use against unpatched devices.
Details
- CWE(s)