How is CVE-2026-53876 exploited?

Network reachability (required): The web console is exposed over the network, meaning an attacker must be able to reach the router's management interface across the network to attempt exploitation. Authentication (required): A valid administrator account is required; any attacker without admin credentials cannot reach the vulnerable code path. Victim interaction (not-required): No action from another user or victim is needed; the attacker operates entirely through their own authenticated session. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental preconditions beyond network access and admin credentials.

What is the impact of CVE-2026-53876?

Attacker executes arbitrary OS commands as root, gaining full control over the router's operating system. Attacker reads sensitive configuration data, stored credentials, and network traffic passing through the device. Attacker modifies routing rules, firewall settings, or DNS configuration to redirect or intercept traffic. Attacker can crash or reboot the device, disrupting network connectivity for all clients depending on the router.

Back to search

HIGHCVE-2026-53876Published 2026-06-17Modified 2026-06-17CNA jpcert

CVE-2026-53876: RadiX AX6600 WiFi 6 Tri-Band Gaming Router contains an OS command injection vulnerability, which may lead to arbitrary command execution with the root privilege by a user who logs in to the web console as an administrator

RadiX AX6600 WiFi 6 Tri-Band Gaming Router contains an OS command injection vulnerability, which may lead to arbitrary command execution with the root privilege by a user who logs in to the web console as an administrator.

CVSS v4.0: 8.6
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

OS command injection in the RadiX AX6600 WiFi 6 Tri-Band Gaming Router allows an authenticated administrator to execute arbitrary commands with root privileges. The vulnerability is reachable over the network through the router's web console, but requires a valid administrator account to exploit. Successful exploitation gives the attacker full root-level command execution on the device. No fix version has been published yet; HarborGuard tracks this advisory and will flag a patched-image rebuild as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-53876 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including JPCERT advisories. Coverage extends to custom-built images that embed RadiX AX6600 firmware or derivative components.

Available

Triage

HarborGuard scores this CVE at 8.6 HIGH using the CVSS v4.0 vector and is capable of weighting findings against each customer's per-environment compliance policy. Triage routing to the appropriate team inbox within each customer organization is available automatically based on those policy settings.

Available

Patch

Because no fix version has been published, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix appears. In the interim, compensating controls such as network-policy isolation of the management interface and restricted admin credential access can be surfaced through the HarborGuard recommendations feed.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The web console is exposed over the network, meaning an attacker must be able to reach the router's management interface across the network to attempt exploitation.
AuthenticationRequired
A valid administrator account is required; any attacker without admin credentials cannot reach the vulnerable code path.
Victim interactionNot required
No action from another user or victim is needed; the attacker operates entirely through their own authenticated session.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental preconditions beyond network access and admin credentials.

Blast Radius

Attacker executes arbitrary OS commands as root, gaining full control over the router's operating system.
Attacker reads sensitive configuration data, stored credentials, and network traffic passing through the device.
Attacker modifies routing rules, firewall settings, or DNS configuration to redirect or intercept traffic.
Attacker can crash or reboot the device, disrupting network connectivity for all clients depending on the router.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-53876 is active for any customer image incorporating RadiX AX6600 firmware, matched against the advisory ingested from JPCERT within minutes of publication. Because no patched firmware version has been published upstream, HarborGuard cannot yet generate a patched-image rebuild. The advisory is re-checked on every ingest cycle, and a rebuild will become available automatically the moment a fix version is released. Where compliance policy permits, customers with auto-remediation enabled will receive the rebuilt image, a regression-test run, and a PR opened against affected workloads without manual intervention. In the meantime, HarborGuard can surface compensating-control recommendations, including isolating the router's web management interface behind a dedicated management VLAN or VPN, enforcing strict inbound network policies to limit who can reach the admin console, and rotating administrator credentials to reduce the window of exposure if any account has been compromised.

See how HarborGuard automates this

Affected packages

Micro-Star International Co., Ltd. / RadiX AX6600 WiFi 6 Tri-Band Gaming Router
firmware versions prior to v781521

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified