CVE-2026-27847 is a critical SQL injection vulnerability identified in Linksys MR9600 (version 1.0.4.205530) and MX4200 (version 1.0.13.210200) routers. The vulnerability stems from improper neutralization of special characters in SQL commands during the TLS-SRP (Transport Layer Security - Secure Remote Password) handshake process. Specifically, the handshake mechanism fails to sanitize input properly, allowing an attacker to inject malicious SQL statements into the backend database. This injection can be leveraged to insert known credentials into the device's authentication database, enabling the attacker to successfully complete the TLS-SRP handshake and gain unauthorized access to protected services on the device. The vulnerability is remotely exploitable over the network without requiring any privileges or user interaction, making it highly dangerous. The CVSS v3.1 base score of 9.8 reflects the critical nature of this flaw, with impacts spanning confidentiality, integrity, and availability. While no known exploits have been reported in the wild yet, the ease of exploitation and severity necessitate immediate attention. The affected devices are commonly used in enterprise and consumer environments, potentially exposing a broad range of users. The lack of available patches at the time of disclosure increases the urgency for interim mitigations.

The exploitation of CVE-2026-27847 can have severe consequences for organizations worldwide. Attackers can bypass authentication mechanisms by injecting credentials, leading to unauthorized access to router management interfaces or protected services. This access can allow attackers to manipulate network configurations, intercept or redirect traffic, deploy malware, or launch further attacks within the network. The compromise of routers can undermine the confidentiality and integrity of sensitive data traversing the network and disrupt availability by causing service outages or denial of service conditions. Given the critical role of routers in network infrastructure, successful exploitation can lead to widespread operational disruptions, data breaches, and loss of trust. Organizations relying on Linksys MR9600 or MX4200 devices in critical environments such as government, healthcare, finance, or industrial sectors face heightened risks. The vulnerability's remote exploitability without authentication increases the attack surface and potential for automated mass exploitation campaigns once exploits become available.

1. Immediate mitigation involves isolating affected devices from untrusted networks and restricting management access to trusted administrators only. 2. Monitor network traffic for unusual TLS-SRP handshake attempts or anomalous authentication patterns that could indicate exploitation attempts. 3. Employ network-level intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics targeting SQL injection and abnormal TLS-SRP traffic. 4. Disable or limit TLS-SRP authentication if possible until patches are available. 5. Regularly audit router configurations and logs for unauthorized changes or access attempts. 6. Coordinate with Linksys for timely updates and apply patches as soon as they are released. 7. Consider deploying network segmentation to limit the impact of compromised devices. 8. Educate network administrators about this vulnerability and ensure incident response plans include steps for router compromise scenarios. 9. Use multi-factor authentication and strong credential policies on network devices to reduce risk from credential injection. 10. Maintain up-to-date asset inventories to quickly identify and remediate affected devices.