CVE-2026-27849
OS Command Injection via TLS-SRP Update in MR9600, MX
Publication date: 2026-02-25
Last updated on: 2026-02-26
Assigner: ENISA
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linksys | mr9600 | 1.0.4.205530 |
| linksys | mx4200 | 1.0.13.210200 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-27849 is a high-risk OS Command Injection vulnerability affecting certain Linksys Wi-Fi mesh routers, specifically the MR9600 and MX4200 models. The issue arises because the update functionality of a TLS-SRP authenticated service (sct_server) improperly sanitizes input when processing configuration updates.'}, {'type': 'paragraph', 'content': "This service accepts TLS-SRP connections on TCP port 6060 and allows updates to system configuration variables (syscfg). A script runs every minute that reads these variables and executes them as environment variables using an 'eval' command. If an attacker injects special characters like semicolons into these variables, they can execute arbitrary OS commands on the device."}, {'type': 'paragraph', 'content': 'An attacker can exploit this by sending a crafted update request over the TLS-SRP connection to insert malicious commands, which the device then executes. For example, injecting a command to change the deviceβs LED color demonstrates the ability to run arbitrary commands.'}] [1]
How can this vulnerability impact me? :
This vulnerability allows an attacker to execute arbitrary operating system commands on affected devices remotely by exploiting the update functionality. This can lead to unauthorized control over the device, potentially allowing the attacker to alter device behavior, disrupt network operations, or use the device as a foothold for further attacks within the mesh network.
Since the vulnerability affects the core configuration update mechanism, it could be used to compromise device integrity, confidentiality, and availability, impacting the security and reliability of the network environment where these devices are deployed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring the TLS-SRP service (sct_server) running on TCP port 6060, which handles update requests that modify "syscfg" configuration variables.'}, {'type': 'paragraph', 'content': 'One way to detect potential exploitation is to check for suspicious or unexpected "syscfg" entries containing semicolons (";"), which could indicate command injection attempts.'}, {'type': 'list_item', 'content': 'Use the command: syscfg show | grep node-off'}, {'type': 'list_item', 'content': 'Inspect the output for any entries containing semicolons or unusual command sequences.'}, {'type': 'paragraph', 'content': 'Additionally, monitoring network traffic on port 6060 for unusual TLS-SRP update requests could help identify exploitation attempts.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Currently, no fix or mitigation is available for this vulnerability.
Immediate steps include monitoring the affected devices closely for suspicious activity, especially on the TLS-SRP service on port 6060.
Restrict access to the TLS-SRP service to trusted networks or hosts only to reduce the attack surface.
Avoid exposing the update functionality externally and consider disabling the service if it is not required.