CVE-2026-27846
Received Received - Intake
Authentication Bypass in MR9600/MX4200 Mesh Allows Credential Exposure

Publication date: 2026-02-25

Last updated on: 2026-02-25

Assigner: ENISA

Description
Due to missing authentication, a user with physical access to the device can misuse the mesh functionality for adding a new mesh device to the network  to gain access to sensitive information, including the password for admin access to the web interface and the Wi-Fi passwords.This issue affects MR9600: 1.0.4.205530; MX4200: 1.0.13.210200.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-02-25
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27846
EUVD
EUVD-2026-8648
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linksys mr9600 1.0.4.205530
linksys mx4200 1.0.13.210200
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-27846 is a vulnerability in certain Linksys Wi-Fi mesh routers (MR9600 and MX4200) caused by missing authentication during the mesh device addition process using Bluetooth Low Energy (BLE).

An attacker with physical access can trigger the router to scan for BLE devices by pressing the reset button five times quickly. The router then connects to a BLE device advertising specific data and writes credentials for a hidden Wi-Fi network and TLS-SRP username and password.

Using these credentials, the attacker can connect to the hidden Wi-Fi network and establish a TLS-SRP connection to a service on the router, allowing them to send requests and receive sensitive configuration data such as the admin web interface password, Wi-Fi passwords, WPS PIN, security mode, and SSID.

This effectively allows the attacker to bypass authentication and gain administrative control over the device and network.

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can have serious impacts including unauthorized access to sensitive information and administrative control over the affected router.'}, {'type': 'list_item', 'content': "An attacker with physical access can extract the admin password for the router's web interface."}, {'type': 'list_item', 'content': 'Wi-Fi passwords and network configuration details can be obtained, allowing unauthorized network access.'}, {'type': 'list_item', 'content': 'The attacker can add a new mesh device to the network, potentially compromising the entire mesh network.'}, {'type': 'list_item', 'content': 'This can lead to loss of network confidentiality, integrity, and control.'}] [1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the Linksys MR9600 or MX4200 router is susceptible to unauthorized mesh device addition via Bluetooth Low Energy (BLE). Specifically, the router enters a BLE scanning mode when the reset button is pressed five times quickly, looking for devices advertising certain BLE data.'}, {'type': 'list_item', 'content': 'Press the router’s reset button five times quickly to trigger BLE scanning mode.'}, {'type': 'list_item', 'content': 'Use a BLE scanning tool to detect devices advertising the following characteristics:'}, {'type': 'list_item', 'content': '- Flags: 0x06'}, {'type': 'list_item', 'content': '- Manufacturer specific data: 0x5C00 0x0000'}, {'type': 'list_item', 'content': '- Complete list of service class UUIDs: 00002080-8eab-46c2-b788-0e9440016fd1'}, {'type': 'list_item', 'content': '- Complete local name: "Linksys"'}, {'type': 'paragraph', 'content': 'Once such a device is detected, the router connects and writes credentials to specific BLE characteristics. To detect exploitation, you can monitor for connections to TCP port 6060 on the router, which is used for the TLS-SRP service leaking sensitive data.'}, {'type': 'list_item', 'content': 'Use BLE scanning commands such as `bluetoothctl` or `hcitool lescan` on Linux to detect BLE advertisements matching the above criteria.'}, {'type': 'list_item', 'content': 'Use network commands like `netstat -an | grep 6060` or `ss -tuln | grep 6060` on the router or network to check for active connections on TCP port 6060.'}] [1]

Mitigation Strategies

Since the vulnerability arises from missing authentication in the mesh device addition process and Linksys has stated no fix will be provided, immediate mitigation steps focus on limiting physical access and disabling vulnerable features if possible.

  • Restrict physical access to the affected devices (MR9600 version 1.0.4.205530 and MX4200 version 1.0.13.210200) to trusted personnel only.
  • Avoid pressing the reset button multiple times quickly to prevent triggering the BLE scanning mode.
  • Monitor network traffic for suspicious connections to TCP port 6060, which may indicate exploitation attempts.
  • Consider isolating the vulnerable devices on a separate network segment to limit exposure.

Currently, no software patch or firmware update is available to fix this issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27846. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart