Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-27848 is a high-risk OS Command Injection vulnerability affecting Linksys MR9600 and MX4200 Wi-Fi 6 mesh routers. The issue exists in a service called `sct_server` that listens on TCP port 6060 and handles mesh device integration via TLS-SRP authentication.'}, {'type': 'paragraph', 'content': 'The vulnerability arises because the username provided during the TLS-SRP handshake is used directly as a command-line argument to the `smcdb_auth` script without properly neutralizing special characters. This allows an attacker to inject arbitrary OS commands through the username field.'}, {'type': 'paragraph', 'content': 'These injected commands are executed with root privileges, and no valid username or password is required to exploit this flaw.'}, {'type': 'paragraph', 'content': "A proof of concept demonstrated that an attacker can remotely execute commands, such as changing the router's LED indicator color, confirming the ability to run arbitrary commands on the device."}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker to remotely execute arbitrary OS commands on affected Linksys routers with root privileges.

Because the commands run as root, an attacker can fully control the device, potentially leading to unauthorized access, data theft, device manipulation, or using the router as a foothold to attack other devices on the network.

No authentication is required to exploit this vulnerability, making it easier for attackers to compromise the device remotely.

Currently, no fix or mitigation is available, increasing the risk for users of the affected devices.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to connect to the affected service running on TCP port 6060, which listens on all interfaces except WAN, and injecting commands via the TLS-SRP handshake username field.'}, {'type': 'paragraph', 'content': 'A proof of concept uses the Python tlslite-ng library to craft a TLS-SRP handshake with a specially crafted username that injects OS commands executed as root.'}, {'type': 'paragraph', 'content': "Specifically, you can try to connect to the sct_server service on port 6060 and observe if commands injected via the username field are executed, for example, by triggering a visible effect such as changing the router's LED indicator color."}, {'type': 'paragraph', 'content': 'No direct command-line detection commands are provided, but using a custom script with tlslite-ng or similar TLS-SRP client libraries to test command injection via the username is the suggested approach.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Currently, no fix or mitigation is available for this vulnerability.

As an immediate step, it is recommended to restrict access to the sct_server service on TCP port 6060 by limiting network exposure, for example, by firewalling or isolating the affected devices from untrusted networks.

Monitoring network traffic to detect unusual connections to port 6060 and disabling mesh integration features if possible may reduce risk until a patch is released.

Useful 0 Not Useful 0