CVE-2026-27847 Overview
CVE-2026-27847 is a critical SQL Injection vulnerability affecting Linksys MR9600 and MX4200 routers. Due to improper neutralization of special elements, SQL statements can be injected via the handshake of a TLS-SRP (Transport Layer Security - Secure Remote Password) connection. This vulnerability allows attackers to inject known credentials into the database, enabling them to successfully complete the handshake and gain unauthorized access to protected services.
Critical Impact
Unauthenticated attackers can remotely inject malicious SQL statements during the TLS-SRP handshake process, potentially compromising device authentication and gaining unauthorized access to protected network services.
Affected Products
- Linksys MR9600 firmware version 1.0.4.205530
- Linksys MX4200 firmware version 1.0.13.210200
Discovery Timeline
- 2026-02-25 - CVE-2026-27847 published to NVD
- 2026-02-26 - Last updated in NVD database
Technical Details for CVE-2026-27847
Vulnerability Analysis
This vulnerability stems from CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection). The affected Linksys routers fail to properly sanitize user-supplied input during the TLS-SRP handshake process, allowing malicious actors to inject arbitrary SQL commands.
TLS-SRP is a protocol extension that enables secure authentication using a shared password without transmitting the password itself. The vulnerability occurs when the router processes SRP handshake parameters that are subsequently used in SQL queries without adequate input validation. An attacker can craft malicious SRP parameters containing SQL injection payloads that manipulate the underlying database queries.
The attack is particularly dangerous because it occurs at the transport layer during connection establishment, before any higher-level authentication mechanisms are engaged. This allows attackers to bypass authentication entirely by injecting valid credentials directly into the database.
Root Cause
The root cause is insufficient input sanitization in the TLS-SRP implementation. When processing SRP handshake parameters (such as the username or verifier), the router constructs SQL queries using these values without proper escaping or parameterized queries. This allows specially crafted input to break out of the intended SQL context and execute arbitrary database commands.
The lack of prepared statements or input validation in the credential verification logic creates a direct pathway for SQL injection attacks during what should be a secure authentication handshake.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can initiate a TLS-SRP connection to the vulnerable router and embed SQL injection payloads within the handshake parameters. The attack sequence involves:
- Initiating a TLS-SRP handshake with the target router
- Crafting malicious SRP parameters containing SQL injection payloads
- Injecting known credentials into the authentication database
- Completing the handshake using the injected credentials
- Gaining access to protected services on the router
The vulnerability allows attackers to manipulate the database to insert, modify, or extract authentication credentials, effectively bypassing the security provided by the TLS-SRP protocol. For detailed technical information, refer to the SySS Security Advisory SYSS-2025-009.
Detection Methods for CVE-2026-27847
Indicators of Compromise
- Unusual TLS-SRP connection attempts from external IP addresses
- Database anomalies such as unexpected credential entries or modifications
- Authentication logs showing successful logins from previously unknown accounts
- Network traffic containing malformed or unusually long SRP handshake parameters
Detection Strategies
- Monitor TLS-SRP handshake traffic for suspicious patterns or payloads containing SQL syntax characters (single quotes, semicolons, UNION keywords)
- Implement intrusion detection rules to identify SQL injection patterns in encrypted handshake initiation traffic
- Review router authentication logs for anomalous login activity or credential creation events
- Deploy network monitoring to detect connection attempts targeting TLS-SRP ports from untrusted sources
Monitoring Recommendations
- Enable verbose logging on affected Linksys devices if available through firmware settings
- Implement network-level monitoring for connections to router management interfaces
- Set up alerts for multiple failed authentication attempts followed by successful access
- Monitor for any unauthorized changes to the router's credential database
How to Mitigate CVE-2026-27847
Immediate Actions Required
- Check if your Linksys MR9600 or MX4200 router is running vulnerable firmware versions (1.0.4.205530 or 1.0.13.210200 respectively)
- Restrict network access to router management interfaces to trusted IP addresses only
- Disable TLS-SRP if not required and alternative authentication methods are available
- Monitor the Linksys support portal for firmware updates addressing this vulnerability
- Consider placing affected devices behind additional network security controls
Patch Information
At the time of publication, no vendor patch has been confirmed. Organizations should monitor the SySS Security Advisory and Linksys official channels for updates. Given the critical nature of this vulnerability, prioritize firmware updates when they become available.
Workarounds
- Implement network segmentation to isolate affected routers from untrusted networks
- Use firewall rules to restrict access to TLS-SRP services from external networks
- Deploy a Web Application Firewall (WAF) or network IDS/IPS with SQL injection detection rules in front of affected devices
- Consider using alternative routers without this vulnerability for security-critical network segments
# Example: Restrict management interface access using iptables on upstream firewall
# Replace ROUTER_IP with your Linksys router's IP address
# Replace TRUSTED_NETWORK with your management network CIDR
iptables -A FORWARD -d ROUTER_IP -s TRUSTED_NETWORK -j ACCEPT
iptables -A FORWARD -d ROUTER_IP -p tcp --dport 443 -j DROP
iptables -A FORWARD -d ROUTER_IP -p tcp --dport 8443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
