CVE-2026-27850
Firewall Misconfiguration in MR9600/MX4200 Allows Unauthorized WAN Access
Publication date: 2026-02-25
Last updated on: 2026-02-25
Assigner: ENISA
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linksys | mr9600 | 1.0.4.205530 |
| linksys | mx4200 | 1.0.13.210200 |
| linksys | mx4200 | From 1.0.13.210200 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27850 is a critical vulnerability in the Linksys MX4200 Wi-Fi mesh router caused by an improperly configured firewall rule.
This misconfiguration allows the router to accept any incoming TCP connections on its WAN interface if the source port of the connection is 5222.
Normally, services bound to 0.0.0.0 are only accessible from the local network, but this flaw exposes them to the internet.
Attackers can exploit this to bypass normal firewall restrictions and potentially execute remote OS command injections by leveraging other related vulnerabilities.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized remote access to internal services that should be protected.
Attackers can exploit the exposed services to perform remote OS command injections, potentially taking full control of the affected router.
Such control can lead to network compromise, data interception, disruption of services, and further exploitation of connected devices.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting the firewall rules on the router, specifically looking for rules that accept incoming TCP connections on the WAN interface (eth0) with source port 5222.
You can use commands like the following on the router to check for the problematic iptables rules:
- iptables -L INPUT -v -n | grep eth0
- iptables -L wan2self_ports -v -n | grep 5222
These commands help verify if there is a rule allowing TCP packets with source port 5222 to bypass normal firewall restrictions, which indicates the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to upgrade the router firmware to version 1.0.13.216602 or later, where the vulnerability has been fixed.
Until the firmware is updated, you can manually remove or modify the firewall rule that accepts incoming connections on the WAN interface with source port 5222 to prevent unauthorized access.
Additionally, restricting access to services normally bound to the local network and monitoring for unusual incoming connections from source port 5222 can help reduce risk.