CVE-2026-27848
OS Command Injection via TLS-SRP Handshake in MR9600, MX
Publication date: 2026-02-25
Last updated on: 2026-02-26
Assigner: ENISA
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linksys | mr9600 | 1.0.4.205530 |
| linksys | mx4200 | 1.0.13.210200 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-27848 is a high-risk OS Command Injection vulnerability affecting Linksys MR9600 and MX4200 Wi-Fi 6 mesh routers. The issue exists in a service called `sct_server` that listens on TCP port 6060 and handles mesh device integration via TLS-SRP authentication.'}, {'type': 'paragraph', 'content': 'The vulnerability arises because the username provided during the TLS-SRP handshake is used directly as a command-line argument to the `smcdb_auth` script without properly neutralizing special characters. This allows an attacker to inject arbitrary OS commands through the username field.'}, {'type': 'paragraph', 'content': 'These injected commands are executed with root privileges, and no valid username or password is required to exploit this flaw.'}, {'type': 'paragraph', 'content': "A proof of concept demonstrated that an attacker can remotely execute commands, such as changing the router's LED indicator color, confirming the ability to run arbitrary commands on the device."}] [1]
How can this vulnerability impact me? :
This vulnerability allows an attacker to remotely execute arbitrary OS commands on affected Linksys routers with root privileges.
Because the commands run as root, an attacker can fully control the device, potentially leading to unauthorized access, data theft, device manipulation, or using the router as a foothold to attack other devices on the network.
No authentication is required to exploit this vulnerability, making it easier for attackers to compromise the device remotely.
Currently, no fix or mitigation is available, increasing the risk for users of the affected devices.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to connect to the affected service running on TCP port 6060, which listens on all interfaces except WAN, and injecting commands via the TLS-SRP handshake username field.'}, {'type': 'paragraph', 'content': 'A proof of concept uses the Python tlslite-ng library to craft a TLS-SRP handshake with a specially crafted username that injects OS commands executed as root.'}, {'type': 'paragraph', 'content': "Specifically, you can try to connect to the sct_server service on port 6060 and observe if commands injected via the username field are executed, for example, by triggering a visible effect such as changing the router's LED indicator color."}, {'type': 'paragraph', 'content': 'No direct command-line detection commands are provided, but using a custom script with tlslite-ng or similar TLS-SRP client libraries to test command injection via the username is the suggested approach.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Currently, no fix or mitigation is available for this vulnerability.
As an immediate step, it is recommended to restrict access to the sct_server service on TCP port 6060 by limiting network exposure, for example, by firewalling or isolating the affected devices from untrusted networks.
Monitoring network traffic to detect unusual connections to port 6060 and disabling mesh integration features if possible may reduce risk until a patch is released.