CVE-2026-27847
SQL Injection via TLS-SRP Handshake in MR9600 and MX
Publication date: 2026-02-25
Last updated on: 2026-02-26
Assigner: ENISA
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linksys | mr9600 | 1.0.4.205530 |
| linksys | mx4200 | 1.0.13.210200 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-27847 is a high-risk SQL Injection vulnerability affecting Linksys Wi-Fi mesh routers MR9600 (version 1.0.4.205530) and MX4200 (version 1.0.13.210200).'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because special characters in the username field during the TLS-SRP handshake process are not properly neutralized. This handshake happens on a service called sct_server running on TCP port 6060.'}, {'type': 'paragraph', 'content': "An attacker can inject arbitrary SQL statements through the username parameter, which allows them to insert attacker-controlled credentials into the router's SQLite database."}, {'type': 'paragraph', 'content': 'Once these credentials are injected, the attacker can successfully authenticate and gain access to the protected sct_server service.'}, {'type': 'paragraph', 'content': 'A proof-of-concept exploit uses the Python tlslite-ng library to insert new credentials and then update authentication data byte-by-byte to complete the handshake.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability allows an attacker to inject their own credentials into the router's authentication database."}, {'type': 'paragraph', 'content': 'With these injected credentials, the attacker can authenticate successfully and gain unauthorized access to the sct_server service on the affected devices.'}, {'type': 'paragraph', 'content': 'This unauthorized access could allow the attacker to control or manipulate the mesh network devices, potentially compromising network security and integrity.'}, {'type': 'paragraph', 'content': 'Since the service is accessible on all interfaces except WAN, an attacker with network access could exploit this vulnerability.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring network traffic for connections to the sct_server service running on TCP port 6060, which is accessible on all interfaces except WAN. Since the vulnerability involves SQL injection via the username field during the TLS-SRP handshake, detection involves analyzing handshake attempts for unusual or malformed username parameters.'}, {'type': 'paragraph', 'content': 'A proof-of-concept exploit uses the Python tlslite-ng library to inject SQL statements during the handshake. Therefore, detection might include capturing and inspecting TLS-SRP handshake packets for suspicious username values or unexpected authentication attempts.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect this vulnerability could include using network packet capture tools such as tcpdump or Wireshark to filter traffic on port 6060, for example:'}, {'type': 'list_item', 'content': 'tcpdump -i <interface> tcp port 6060 -w capture.pcap'}, {'type': 'list_item', 'content': 'Followed by analyzing the capture with Wireshark to inspect TLS-SRP handshake username fields for suspicious input.'}, {'type': 'paragraph', 'content': "Additionally, monitoring authentication logs or the database for unexpected new entries in the 'authorize' table could help identify exploitation attempts."}] [1]
What immediate steps should I take to mitigate this vulnerability?
As of the public disclosure date, no official fix or mitigation has been provided by the manufacturer.
Immediate mitigation steps include restricting access to the sct_server service on TCP port 6060 to trusted internal networks only, since it is accessible on all interfaces except WAN.
Additionally, monitoring for suspicious authentication attempts and unusual database entries can help detect exploitation early.
Consider disabling or isolating the vulnerable service if possible until a patch or update is released.