CVE-2026-27847
Received Received - Intake
SQL Injection via TLS-SRP Handshake in MR9600 and MX

Publication date: 2026-02-25

Last updated on: 2026-02-26

Assigner: ENISA

Description
Due to improper neutralization of special elements, SQL statements can be injected via the handshake of a TLS-SRP connection. This can be used to inject known credentials into the database that can be utilized to successfully complete the handshake and use the protected service. This issue affects MR9600: 1.0.4.205530; MX4200: 1.0.13.210200.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-02-26
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27847
EUVD
EUVD-2026-8649
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linksys mr9600 1.0.4.205530
linksys mx4200 1.0.13.210200
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-27847 is a high-risk SQL Injection vulnerability affecting Linksys Wi-Fi mesh routers MR9600 (version 1.0.4.205530) and MX4200 (version 1.0.13.210200).'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because special characters in the username field during the TLS-SRP handshake process are not properly neutralized. This handshake happens on a service called sct_server running on TCP port 6060.'}, {'type': 'paragraph', 'content': "An attacker can inject arbitrary SQL statements through the username parameter, which allows them to insert attacker-controlled credentials into the router's SQLite database."}, {'type': 'paragraph', 'content': 'Once these credentials are injected, the attacker can successfully authenticate and gain access to the protected sct_server service.'}, {'type': 'paragraph', 'content': 'A proof-of-concept exploit uses the Python tlslite-ng library to insert new credentials and then update authentication data byte-by-byte to complete the handshake.'}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability allows an attacker to inject their own credentials into the router's authentication database."}, {'type': 'paragraph', 'content': 'With these injected credentials, the attacker can authenticate successfully and gain unauthorized access to the sct_server service on the affected devices.'}, {'type': 'paragraph', 'content': 'This unauthorized access could allow the attacker to control or manipulate the mesh network devices, potentially compromising network security and integrity.'}, {'type': 'paragraph', 'content': 'Since the service is accessible on all interfaces except WAN, an attacker with network access could exploit this vulnerability.'}] [1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring network traffic for connections to the sct_server service running on TCP port 6060, which is accessible on all interfaces except WAN. Since the vulnerability involves SQL injection via the username field during the TLS-SRP handshake, detection involves analyzing handshake attempts for unusual or malformed username parameters.'}, {'type': 'paragraph', 'content': 'A proof-of-concept exploit uses the Python tlslite-ng library to inject SQL statements during the handshake. Therefore, detection might include capturing and inspecting TLS-SRP handshake packets for suspicious username values or unexpected authentication attempts.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect this vulnerability could include using network packet capture tools such as tcpdump or Wireshark to filter traffic on port 6060, for example:'}, {'type': 'list_item', 'content': 'tcpdump -i <interface> tcp port 6060 -w capture.pcap'}, {'type': 'list_item', 'content': 'Followed by analyzing the capture with Wireshark to inspect TLS-SRP handshake username fields for suspicious input.'}, {'type': 'paragraph', 'content': "Additionally, monitoring authentication logs or the database for unexpected new entries in the 'authorize' table could help identify exploitation attempts."}] [1]

Mitigation Strategies

As of the public disclosure date, no official fix or mitigation has been provided by the manufacturer.

Immediate mitigation steps include restricting access to the sct_server service on TCP port 6060 to trusted internal networks only, since it is accessible on all interfaces except WAN.

Additionally, monitoring for suspicious authentication attempts and unusual database entries can help detect exploitation early.

Consider disabling or isolating the vulnerable service if possible until a patch or update is released.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27847. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart