Description
Due to missing authentication, a user with physical access to the device can misuse the mesh functionality for adding a new mesh device to the network 
to gain access to sensitive information, including the password for admin access to the web interface and the Wi-Fi passwords.This issue affects MR9600: 1.0.4.205530; MX4200: 1.0.13.210200.
Published: 2026-02-25
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass – attacker can obtain admin and Wi‑Fi passwords from the router
Action: Assess Impact
AI Analysis

Impact

The vulnerability is an authentication bypass that allows a user with physical access to the Linksys device to use the mesh functionality to add a new mesh node. By doing so, the attacker can read sensitive information, notably the administrative login credentials for the web interface and the passwords for the Wi‑Fi network. This gives the attacker full administrative control over the router and network, potentially compromising all connected devices. Affected systems include the Linksys MR9600 running firmware 1.0.4.205530 and the Linksys MX4200 running firmware 1.0.13.210200. No other versions are listed as affected. The risk is moderate, as reflected by a CVSS score of 6.2, but the exploitation probability is low (EPSS < 1%). The issue is not currently listed in the CISA KEV catalogue. The most likely attack vector requires physical proximity to the device; no remote or network‑only exploitation is described.

Affected Systems

Linksys MR9600 (firmware 1.0.4.205530) and Linksys MX4200 (firmware 1.0.13.210200).

Risk and Exploitability

With a moderate CVSS score but very low EPSS, the overall exposure is limited, especially if physical security controls are in place. Compromise is feasible only when an attacker can physically reach the device; networking exposure is not evident from the description.

Generated by OpenCVE AI on April 17, 2026 at 15:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the router firmware to the latest version that fixes the missing authentication issue (check Linksys support for a newer release).
  • Restrict physical access to the router and mesh devices, limiting it to trusted personnel.
  • Disable mesh networking features or monitor for unauthorized mesh joins, and eject any devices that appear without proper authentication.

Generated by OpenCVE AI on April 17, 2026 at 15:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Linksys
Linksys mr9600
Linksys mx4200
Vendors & Products Linksys
Linksys mr9600
Linksys mx4200

Wed, 25 Feb 2026 19:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 25 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
Description Due to missing authentication, a user with physical access to the device can misuse the mesh functionality for adding a new mesh device to the network  to gain access to sensitive information, including the password for admin access to the web interface and the Wi-Fi passwords.This issue affects MR9600: 1.0.4.205530; MX4200: 1.0.13.210200.
Title Missing authentication in Linksys MR9600, Linksys MX4200
Weaknesses CWE-306
References

Subscriptions

Linksys Mr9600 Mx4200
cve-icon MITRE

Status: PUBLISHED

Assigner: ENISA

Published:

Updated: 2026-02-25T18:36:03.925Z

Reserved: 2026-02-24T07:07:48.973Z

Link: CVE-2026-27846

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-02-25T16:23:28.710

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-27846

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:15:21Z

Weaknesses