CVE-2026-25603
📋 TL;DR
A path traversal vulnerability in Linksys MR9600 and MX4200 routers allows attackers to mount USB drive partitions to arbitrary file system locations. This can lead to execution of malicious shell scripts with root privileges. The vulnerability affects specific firmware versions of these consumer routers.
💻 Affected Systems
- Linksys MR9600
- Linksys MX4200
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with root access, allowing installation of persistent backdoors, credential theft, and router takeover for botnet participation.
Likely Case
Local attacker with physical USB access or network access to USB sharing services executes arbitrary code, potentially gaining full control of the router.
If Mitigated
Limited impact if USB ports are disabled and network access to USB sharing services is restricted.
🎯 Exploit Status
Exploitation requires access to USB sharing services or physical USB port access. The SYSS advisory provides technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Linksys firmware updates for versions newer than affected ones
Vendor Advisory: https://www.linksys.com/support/
Restart Required: Yes
Instructions:
1. Log into router admin interface. 2. Navigate to firmware update section. 3. Check for and apply latest firmware. 4. Reboot router after update.
🔧 Temporary Workarounds
Disable USB sharing services
allTurn off all USB sharing functionality to prevent exploitation vectors
Restrict USB port access
allPhysically secure or disable USB ports if not needed
🧯 If You Can't Patch
- Isolate affected routers on separate VLAN with strict network segmentation
- Implement strict firewall rules to block access to USB sharing services from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check router firmware version in admin interface against affected versions: MR9600 1.0.4.205530 or MX4200 1.0.13.210200Check Version:
Check via router web interface at 192.168.1.1 or router IP, navigate to firmware/status sectionVerify Fix Applied:
Confirm firmware version is newer than affected versions and test USB functionality with controlled payloads📡 Detection & Monitoring
Log Indicators:
- Unusual USB mount events
- Execution of unexpected shell scripts
- File system access to unusual paths
Network Indicators:
- Unexpected connections to USB sharing ports
- Traffic patterns suggesting router compromise
SIEM Query:
Search for 'usb mount' or 'path traversal' in router logs, monitor for shell script execution events