CVE-2026-27847 is a vulnerability classified under CWE-89 (SQL Injection) that affects Linksys MR9600 and MX4200 routers running specific firmware versions. The root cause is improper neutralization of special elements in SQL commands during the TLS-SRP (Transport Layer Security - Secure Remote Password) handshake process. This handshake is used to establish a secure connection with mutual authentication. The vulnerability allows an attacker to inject crafted SQL statements into the device's backend database by manipulating the handshake data. Specifically, the attacker can insert known credentials into the router's database, which can then be used to successfully complete the TLS-SRP handshake and gain unauthorized access to protected services on the device. This bypasses normal authentication mechanisms and can lead to full compromise of the router’s management interface or other protected functionalities. The affected firmware versions are MR9600 version 1.0.4.205530 and MX4200 version 1.0.13.210200. No CVSS score has been assigned yet, and no public exploits have been reported. The vulnerability requires network-level access to the device’s TLS-SRP handshake process but does not require user interaction. This flaw could be exploited by attackers on the same network segment or via exposed management interfaces, potentially allowing lateral movement or persistent access within a network.

The impact of CVE-2026-27847 is significant for organizations using affected Linksys MR9600 and MX4200 routers. Successful exploitation can lead to unauthorized access to router management interfaces or other protected services, allowing attackers to alter device configurations, intercept or redirect network traffic, and potentially deploy further malware or conduct espionage. This compromises the confidentiality, integrity, and availability of network communications. Organizations relying on these routers for critical network infrastructure, including enterprise, government, and service provider environments, face risks of network disruption and data breaches. The vulnerability could facilitate lateral movement within internal networks, increasing the attack surface. Since the attack targets the TLS-SRP handshake, it undermines the security of the authentication process itself, making detection more difficult. The absence of known exploits currently reduces immediate risk, but the potential for weaponization remains high once exploit code becomes available.

Organizations should immediately inventory their network to identify affected Linksys MR9600 and MX4200 devices running the vulnerable firmware versions. Although no official patches are currently linked, monitoring Linksys advisories for firmware updates addressing this vulnerability is critical. In the interim, restrict network access to router management interfaces by implementing strict firewall rules and network segmentation to limit exposure of TLS-SRP handshake endpoints. Disable remote management features if not required. Employ network intrusion detection systems (NIDS) to monitor for anomalous TLS handshake patterns indicative of injection attempts. Conduct regular audits of router logs for suspicious authentication attempts or unexpected credential insertions. Consider deploying compensating controls such as VPNs or zero-trust network access to protect management interfaces. Finally, plan for timely patch deployment once vendor updates become available to remediate the vulnerability fully.