CVE-2026-27847 - Vulnerability Details

- Missing authentication in Linksys MR9600, Linksys MX4200

Description

Due to improper neutralization of special elements, SQL statements can be injected via the handshake of a TLS-SRP connection. This can be used to inject known credentials into the database that can be utilized to successfully complete the handshake and use the protected service.
This issue affects MR9600: 1.0.4.205530; MX4200: 1.0.13.210200.

Published: 2026-02-25

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability originates from improper neutralization of special elements during the TLS‑SRP handshake, allowing an attacker to inject arbitrary SQL. The injected payload can insert known credentials directly into the device’s database, enabling the attacker to successfully perform the handshake and gain access to protected services. Because this bypasses the intended authentication mechanism, an attacker could potentially obtain privileged control over the device.

Affected Systems

The flaw affects Linksys MR9600 firmware 1.0.4.205530 and Linksys MX4200 firmware 1.0.13.210200. These specific versions are listed as vulnerable, and any systems running exactly these firmware builds are at risk.

Risk and Exploitability

The CVSS score of 9.8 classifies the issue as critical, highlighting severe potential impact. However, the EPSS score of less than 1 % indicates that, as of now, the likelihood of a real‑world exploit remains low. The vulnerability is not yet listed in CISA’s KEV catalog. Exploitation requires the ability to perform a TLS‑SRP handshake, which typically means the device is reachable over the network. The attack surface is limited to devices configured to accept SRP connections, and no public exploitation infrastructure has been reported, further reducing immediate threat.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linksys

MR9600

affected

Version	Status	Constraints
`1.0.4.205530`	affected	—

Linksys

MX4200

unaffected

Version	Status	Constraints
`1.0.13.210200`	affected	—

No data.

Vendor Product Confidence Versions

Linksys

Mr9600

100%

Version	Status	Scheme	Platform
`1.0.4.205530`	affected	generic	—

Linksys

Mx4200

100%

Version	Status	Scheme	Platform
`1.0.13.210200`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the MR9600 firmware to a release later than 1.0.4.205530, and upgrade the MX4200 firmware to a release later than 1.0.13.210200, ensuring the specific vulnerability is resolved.
Restrict remote management access to the devices by placing them behind a firewall or VPN, limiting exposure to potential attackers.
Continuously monitor network traffic and device logs for anomalous TLS‑SRP handshake attempts, and alert on any suspicious activity.

Generated by OpenCVE AI on April 17, 2026 at 15:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00068.

Exploitation poc

Automatable yes

Technical Impact total

References

Link	Providers
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-009.txt

History

Thu, 26 Feb 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 26 Feb 2026 18:30:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Thu, 26 Feb 2026 13:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Linksys Linksys mr9600 Linksys mx4200
Vendors & Products		Linksys Linksys mr9600 Linksys mx4200

Wed, 25 Feb 2026 15:45:00 +0000

Type	Values Removed	Values Added
Description		Due to improper neutralization of special elements, SQL statements can be injected via the handshake of a TLS-SRP connection. This can be used to inject known credentials into the database that can be utilized to successfully complete the handshake and use the protected service. This issue affects MR9600: 1.0.4.205530; MX4200: 1.0.13.210200.
Title		Missing authentication in Linksys MR9600, Linksys MX4200
Weaknesses		CWE-89
References		https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-009.txt

Subscriptions

Linksys Mr9600 Mx4200

MITRE

Status: PUBLISHED

Assigner: ENISA

Published: 2026-02-25T15:10:30.771Z

Updated: 2026-02-26T16:56:23.595Z

Reserved: 2026-02-24T07:07:48.973Z

Link: CVE-2026-27847

Vulnrichment

Updated: 2026-02-26T16:55:42.084Z

NVD

Status : Deferred

Published: 2026-02-25T16:23:28.833

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-27847

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T15:15:21Z

Weaknesses

CWE-89

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object