Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.6
Linksys Routers Allow Malicious USB Drive Execution
CVE-2026-25603
Summary
If a malicious USB drive is plugged into a Linksys MR9600 or MX4200 router, an attacker could potentially execute malicious scripts with full system privileges, potentially compromising the router's security. This affects MR9600 version 1.0.4.205530 and MX4200 version 1.0.13.210200. To protect your router, make sure to update to the latest firmware version.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| linksys | mr9600_firmware | 1.0.4.205530 | – |
| linksys | mx4200_firmware | 1.0.4.205530 | – |
Original title
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Linksys MR9600, Linksys MX4200 allows that contents of a USB drive partition can be mounted in an arb...
Original description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Linksys MR9600, Linksys MX4200 allows that contents of a USB drive partition can be mounted in an arbitrary location of the file system. This may result in the execution of shell scripts in the context of a root user.This issue affects MR9600: 1.0.4.205530; MX4200: 1.0.13.210200.
nvd CVSS3.1
6.6
Vulnerability type
CWE-22
Path Traversal
- https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-001.t... Exploit Third Party Advisory
Published: 24 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026