CVE-2026-27850
Received Received - Intake
Firewall Misconfiguration in MR9600/MX4200 Allows Unauthorized WAN Access

Publication date: 2026-02-25

Last updated on: 2026-02-25

Assigner: ENISA

Description
Due to an improperly configured firewall rule, the router will accept any connection on the WAN port with the source port 5222, exposing all services which are normally only accessible through the local network. This issue affects MR9600: 1.0.4.205530; MX4200: 1.0.13.210200.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-02-25
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27850
EUVD
EUVD-2026-8698
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
linksys mr9600 1.0.4.205530
linksys mx4200 1.0.13.210200
linksys mx4200 From 1.0.13.210200 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-27850 is a critical vulnerability in the Linksys MX4200 Wi-Fi mesh router caused by an improperly configured firewall rule.

This misconfiguration allows the router to accept any incoming TCP connections on its WAN interface if the source port of the connection is 5222.

Normally, services bound to 0.0.0.0 are only accessible from the local network, but this flaw exposes them to the internet.

Attackers can exploit this to bypass normal firewall restrictions and potentially execute remote OS command injections by leveraging other related vulnerabilities.

Impact Analysis

This vulnerability can have severe impacts including unauthorized remote access to internal services that should be protected.

Attackers can exploit the exposed services to perform remote OS command injections, potentially taking full control of the affected router.

Such control can lead to network compromise, data interception, disruption of services, and further exploitation of connected devices.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by inspecting the firewall rules on the router, specifically looking for rules that accept incoming TCP connections on the WAN interface (eth0) with source port 5222.

You can use commands like the following on the router to check for the problematic iptables rules:

  • iptables -L INPUT -v -n | grep eth0
  • iptables -L wan2self_ports -v -n | grep 5222

These commands help verify if there is a rule allowing TCP packets with source port 5222 to bypass normal firewall restrictions, which indicates the presence of the vulnerability.

Mitigation Strategies

The immediate and recommended mitigation step is to upgrade the router firmware to version 1.0.13.216602 or later, where the vulnerability has been fixed.

Until the firmware is updated, you can manually remove or modify the firewall rule that accepts incoming connections on the WAN interface with source port 5222 to prevent unauthorized access.

Additionally, restricting access to services normally bound to the local network and monitoring for unusual incoming connections from source port 5222 can help reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27850. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart