Description
Due to missing neutralization of special elements, OS commands can be injected via the handshake of a TLS-SRP connection, which are ultimately run as the root user.
This issue affects MR9600: 1.0.4.205530; MX4200: 1.0.13.210200.
Published: 2026-02-25
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

This vulnerability arises from a missing neutralization of special elements in the TLS‑SRP handshake implementation. The flaw allows an attacker to inject arbitrary operating‑system commands that are subsequently executed with root privileges on the device. Because the commands run as root, the attacker could take full control of the device, compromise network traffic, or install persistent malware. The weakness is identified by CWE‑78, a classic example of command‑injection.

Affected Systems

Linksys MR9600 firmware version 1.0.4.205530 and Linksys MX4200 firmware version 1.0.13.210200 are listed as vulnerable. These devices are consumer‑grade routers used in home or small‑office environments; the firmware versions are the only ones mentioned as affected.

Risk and Exploitability

The CVSS score of 9.8 signals critical severity, and while the EPSS score is below 1 % indicating a low probability of exploitation, the flaw is reachable over the network and the description does not explicitly state whether authentication is required, so this remains uncertain. The vulnerability is not currently catalogued in CISA’s KEV list, but its remote command execution capability means it is a high‑risk finding for any network that can reach the affected routers.

Generated by OpenCVE AI on April 18, 2026 at 10:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update from Linksys that addresses the TLS‑SRP command injection flaw.
  • If no update is available, disable TLS‑SRP or block the port used for TLS‑SRP communication on the affected routers.
  • Configure network firewall rules to restrict unauthenticated traffic to the routers, ensuring only trusted internal networks can reach the management interface.

Generated by OpenCVE AI on April 18, 2026 at 10:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Linksys
Linksys mr9600
Linksys mx4200
Vendors & Products Linksys
Linksys mr9600
Linksys mx4200

Wed, 25 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
Description Due to missing neutralization of special elements, OS commands can be injected via the handshake of a TLS-SRP connection, which are ultimately run as the root user. This issue affects MR9600: 1.0.4.205530; MX4200: 1.0.13.210200.
Title Missing neutralization in Linksys MR9600, Linksys MX4200
Weaknesses CWE-78
References

Subscriptions

Linksys Mr9600 Mx4200
cve-icon MITRE

Status: PUBLISHED

Assigner: ENISA

Published:

Updated: 2026-02-26T16:51:13.433Z

Reserved: 2026-02-24T07:07:48.974Z

Link: CVE-2026-27848

cve-icon Vulnrichment

Updated: 2026-02-26T16:50:39.948Z

cve-icon NVD

Status : Deferred

Published: 2026-02-25T16:23:29.037

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-27848

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:45:43Z

Weaknesses