{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27849", "assignerOrgId": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158", "state": "PUBLISHED", "assignerShortName": "ENISA", "dateReserved": "2026-02-24T07:07:48.974Z", "datePublished": "2026-02-25T16:20:25.395Z", "dateUpdated": "2026-02-26T16:47:01.147Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "MR9600", "vendor": "Linksys", "versions": [{"status": "affected", "version": "1.0.4.205530"}]}, {"defaultStatus": "unaffected", "product": "MX4200", "vendor": "Linksys", "versions": [{"status": "affected", "version": "1.0.13.210200"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Due to missing neutralization of special elements, OS commands can be injected via the update functionality of a TLS-SRP connection, which is normally used for configuring devices inside the mesh network.<br><p>This issue affects MR9600: 1.0.4.205530; MX4200: 1.0.13.210200.</p>"}], "value": "Due to missing neutralization of special elements, OS commands can be injected via the update functionality of a TLS-SRP connection, which is normally used for configuring devices inside the mesh network.\nThis issue affects MR9600: 1.0.4.205530; MX4200: 1.0.13.210200."}], "impacts": [{"capecId": "CAPEC-88", "descriptions": [{"lang": "en", "value": "CAPEC-88 OS Command Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158", "shortName": "ENISA", "dateUpdated": "2026-02-25T16:20:25.395Z"}, "references": [{"tags": ["third-party-advisory", "technical-description"], "url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-011.txt"}], "source": {"discovery": "UNKNOWN"}, "title": "Missing neutralization in Linksys MR9600, Linksys MX4200", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T16:46:53.068105Z", "id": "CVE-2026-27849", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T16:47:01.147Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-27849", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-26T16:46:53.068105Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T16:38:25.216Z"}}], "cna": {"title": "Missing neutralization in Linksys MR9600, Linksys MX4200", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-88", "descriptions": [{"lang": "en", "value": "CAPEC-88 OS Command Injection"}]}], "affected": [{"vendor": "Linksys", "product": "MR9600", "versions": [{"status": "affected", "version": "1.0.4.205530"}], "defaultStatus": "affected"}, {"vendor": "Linksys", "product": "MX4200", "versions": [{"status": "affected", "version": "1.0.13.210200"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-011.txt", "tags": ["third-party-advisory", "technical-description"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Due to missing neutralization of special elements, OS commands can be injected via the update functionality of a TLS-SRP connection, which is normally used for configuring devices inside the mesh network.\nThis issue affects MR9600: 1.0.4.205530; MX4200: 1.0.13.210200.", "supportingMedia": [{"type": "text/html", "value": "Due to missing neutralization of special elements, OS commands can be injected via the update functionality of a TLS-SRP connection, which is normally used for configuring devices inside the mesh network.<br><p>This issue affects MR9600: 1.0.4.205530; MX4200: 1.0.13.210200.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158", "shortName": "ENISA", "dateUpdated": "2026-02-25T16:20:25.395Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27849", "state": "PUBLISHED", "dateUpdated": "2026-02-26T16:47:01.147Z", "dateReserved": "2026-02-24T07:07:48.974Z", "assignerOrgId": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158", "datePublished": "2026-02-25T16:20:25.395Z", "assignerShortName": "ENISA"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Due to missing neutralization of special elements, OS commands can be injected via the update functionality of a TLS-SRP connection, which is normally used for configuring devices inside the mesh network.\nThis issue affects MR9600: 1.0.4.205530; MX4200: 1.0.13.210200."}, {"lang": "es", "value": "Debido a la falta de neutralizaci\u00f3n de elementos especiales, se pueden inyectar comandos del sistema operativo a trav\u00e9s de la funcionalidad de actualizaci\u00f3n de una conexi\u00f3n TLS-SRP, que normalmente se utiliza para configurar dispositivos dentro de la red de malla.\nEste problema afecta a MR9600: 1.0.4.205530; MX4200: 1.0.13.210200."}], "id": "CVE-2026-27849", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-25T17:25:40.903", "references": [{"source": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158", "url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-011.txt"}], "sourceIdentifier": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0.4.205530"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "MR9600", "source": "cna", "vendor": "Linksys"}, "product": "mr9600", "vendor": "linksys"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0.13.210200"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "MX4200", "source": "cna", "vendor": "Linksys"}, "product": "mx4200", "vendor": "linksys"}], "analysis": {"en": {"generated_at": "2026-04-17T15:07:52.442768+00:00", "value": {"mitigation_remediation": ["Apply the latest firmware update released by Linksys to both the MR9600 and MX4200 devices.", "Disable or block the TLS\u2011SRP update path on affected devices to mitigate the risk while a patch is applied.", "Implement network segmentation or firewall policies that isolate the firmware update traffic from critical infrastructure components.", "Monitor device logs for anomalous command execution or other signs of compromise and respond promptly."], "summary": {"action": "Immediate Patch", "impact": "Command Injection Leading to Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Linksys MR9600 version 1.0.4.205530 and Linksys MX4200 version 1.0.13.210200 are the specific models and firmware releases affected. These devices are used to configure routers and mesh networks and therefore are pivotal to network operation.", "description_and_impact": "Os commands can be injected through the update functionality of a TLS\u2011SRP connection because special elements are not neutralized. This flaw enables attackers to execute arbitrary system commands on the affected device, providing full control over the device\u2019s operating system. The high CVSS score of 9.8 reflects the severity and the ability to compromise confidentiality, integrity, and availability of the network.", "risk_and_exploitability": "The CVSS score of 9.8 indicates a critical risk, while the EPSS score of less than 1\u202f% suggests that current exploitation attempts are low but still possible. The vulnerability is not listed in the CISA KEV catalog, but the remote nature of the attack vector\u2014via a TLS\u2011SRP update channel\u2014could let an attacker with network access perform the injection. The flaw permits unattended code execution, making it a high\u2011impact threat to any system incorporating the listed firmware."}}}}, "created": "2026-02-26T13:15:29.147450+00:00", "updated": "2026-04-17T15:15:21.846771+00:00", "vendors": ["linksys", "linksys$PRODUCT$mr9600", "linksys$PRODUCT$mx4200"]}