CVE-2026-27846
Authentication Bypass in MR9600/MX4200 Mesh Allows Credential Exposure
Publication date: 2026-02-25
Last updated on: 2026-02-25
Assigner: ENISA
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linksys | mr9600 | 1.0.4.205530 |
| linksys | mx4200 | 1.0.13.210200 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27846 is a vulnerability in certain Linksys Wi-Fi mesh routers (MR9600 and MX4200) caused by missing authentication during the mesh device addition process using Bluetooth Low Energy (BLE).
An attacker with physical access can trigger the router to scan for BLE devices by pressing the reset button five times quickly. The router then connects to a BLE device advertising specific data and writes credentials for a hidden Wi-Fi network and TLS-SRP username and password.
Using these credentials, the attacker can connect to the hidden Wi-Fi network and establish a TLS-SRP connection to a service on the router, allowing them to send requests and receive sensitive configuration data such as the admin web interface password, Wi-Fi passwords, WPS PIN, security mode, and SSID.
This effectively allows the attacker to bypass authentication and gain administrative control over the device and network.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can have serious impacts including unauthorized access to sensitive information and administrative control over the affected router.'}, {'type': 'list_item', 'content': "An attacker with physical access can extract the admin password for the router's web interface."}, {'type': 'list_item', 'content': 'Wi-Fi passwords and network configuration details can be obtained, allowing unauthorized network access.'}, {'type': 'list_item', 'content': 'The attacker can add a new mesh device to the network, potentially compromising the entire mesh network.'}, {'type': 'list_item', 'content': 'This can lead to loss of network confidentiality, integrity, and control.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the Linksys MR9600 or MX4200 router is susceptible to unauthorized mesh device addition via Bluetooth Low Energy (BLE). Specifically, the router enters a BLE scanning mode when the reset button is pressed five times quickly, looking for devices advertising certain BLE data.'}, {'type': 'list_item', 'content': 'Press the router’s reset button five times quickly to trigger BLE scanning mode.'}, {'type': 'list_item', 'content': 'Use a BLE scanning tool to detect devices advertising the following characteristics:'}, {'type': 'list_item', 'content': '- Flags: 0x06'}, {'type': 'list_item', 'content': '- Manufacturer specific data: 0x5C00 0x0000'}, {'type': 'list_item', 'content': '- Complete list of service class UUIDs: 00002080-8eab-46c2-b788-0e9440016fd1'}, {'type': 'list_item', 'content': '- Complete local name: "Linksys"'}, {'type': 'paragraph', 'content': 'Once such a device is detected, the router connects and writes credentials to specific BLE characteristics. To detect exploitation, you can monitor for connections to TCP port 6060 on the router, which is used for the TLS-SRP service leaking sensitive data.'}, {'type': 'list_item', 'content': 'Use BLE scanning commands such as `bluetoothctl` or `hcitool lescan` on Linux to detect BLE advertisements matching the above criteria.'}, {'type': 'list_item', 'content': 'Use network commands like `netstat -an | grep 6060` or `ss -tuln | grep 6060` on the router or network to check for active connections on TCP port 6060.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Since the vulnerability arises from missing authentication in the mesh device addition process and Linksys has stated no fix will be provided, immediate mitigation steps focus on limiting physical access and disabling vulnerable features if possible.
- Restrict physical access to the affected devices (MR9600 version 1.0.4.205530 and MX4200 version 1.0.13.210200) to trusted personnel only.
- Avoid pressing the reset button multiple times quickly to prevent triggering the BLE scanning mode.
- Monitor network traffic for suspicious connections to TCP port 6060, which may indicate exploitation attempts.
- Consider isolating the vulnerable devices on a separate network segment to limit exposure.
Currently, no software patch or firmware update is available to fix this issue.