CVE-2026-25603

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Linksys MR9600, Linksys MX4200 allows that contents of a USB drive partition can be mounted in an arbitrary location of the file system. This may result in the execution of shell scripts in the context of a root user.This issue affects MR9600: 1.0.4.205530; MX4200: 1.0.13.210200.

CVSS v3 6.6 MEDIUM

6.6^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.7 / Impact : 5.9

Attack Vector PHYSICAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-001.txt	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:linksys:mr9600_firmware:1.0.4.205530:*:*:*:*:*:*:*

cpe:2.3:h:linksys:mr9600:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:linksys:mx4200_firmware:1.0.4.205530:*:*:*:*:*:*:*

cpe:2.3:h:linksys:mx4200:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-24 18:29

Updated : 2026-02-26 18:10

NVD link : CVE-2026-25603

Mitre link : CVE-2026-25603

CVE.ORG link : CVE-2026-25603

JSON object : View

Products Affected

linksys

mr9600_firmware
mx4200_firmware
mx4200
mr9600

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2026-25603", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.6, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.7}]}, "published": "2026-02-24T18:29:33.167", "references": [{"url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-001.txt", "tags": ["Exploit", "Third Party Advisory"], "source": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Linksys MR9600, Linksys MX4200 allows that\u00a0contents of a USB drive partition can be mounted in an arbitrary location of the file system. This may result in the execution of shell scripts in the context of a root user.This issue affects MR9600: 1.0.4.205530; MX4200: 1.0.13.210200."}, {"lang": "es", "value": "Vulnerabilidad de Limitaci\u00f3n Inadecuada de un Nombre de Ruta a un Directorio Restringido ('Salto de Ruta') en Linksys MR9600, Linksys MX4200 permite que el contenido de una partici\u00f3n de unidad USB pueda montarse en una ubicaci\u00f3n arbitraria del sistema de archivos. Esto puede resultar en la ejecuci\u00f3n de scripts de shell en el contexto de un usuario root. Este problema afecta a MR9600: 1.0.4.205530; MX4200: 1.0.13.210200."}], "lastModified": "2026-02-26T18:10:54.523", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linksys:mr9600_firmware:1.0.4.205530:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "53E39864-0A63-4188-A91B-CA024C56237C"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:linksys:mr9600:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "EEF496D6-F5A4-4859-9BAC-016EB64A701C"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linksys:mx4200_firmware:1.0.4.205530:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7885670B-8DCF-42F3-8644-B6F240D5E84B"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:linksys:mx4200:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "9D53D1E6-E087-4837-A2A4-3512644E3DC2"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158"}