CVE-2026-27849 is a critical OS command injection vulnerability identified in Linksys MR9600 and MX4200 routers, specifically in the firmware versions MR9600 1.0.4.205530 and MX4200 1.0.13.210200. The vulnerability stems from CWE-78: improper neutralization of special elements used in an OS command. The issue occurs in the update functionality of a TLS-SRP (Transport Layer Security - Secure Remote Password) connection, which is typically employed for configuring devices within the mesh network. Due to insufficient sanitization of input parameters, an attacker can inject malicious OS commands through this update mechanism. This injection can lead to arbitrary command execution on the underlying operating system of the device. The vulnerability does not require user interaction but may require network access to the update interface, which could be exposed internally or externally depending on network configuration. Exploitation could allow attackers to disrupt device operation, manipulate network traffic, or pivot to other internal systems. Although no known exploits are currently in the wild, the vulnerability's nature and affected devices' widespread use in home and enterprise mesh networks make it a significant threat. The lack of an official patch at the time of disclosure increases the urgency for mitigation. The vulnerability was published on February 25, 2026, and assigned by ENISA, with no CVSS score provided yet.

The impact of CVE-2026-27849 is substantial for organizations relying on Linksys MR9600 and MX4200 routers, especially in mesh network deployments. Successful exploitation can lead to full compromise of the affected device, allowing attackers to execute arbitrary OS commands. This can result in unauthorized access to network traffic, disruption of network services, and potential lateral movement within the internal network. Confidentiality, integrity, and availability of network communications are at risk. For enterprises, this could mean exposure of sensitive data, interruption of business operations, and increased risk of further compromise. For home users, it could lead to loss of control over their network and devices. The vulnerability's exploitation could also facilitate persistent backdoors or malware installation on network infrastructure. Given the routers' role in managing mesh networks, the scope of impact can extend beyond a single device, affecting multiple connected devices and users. The absence of known exploits currently reduces immediate risk but does not diminish the potential severity once exploitation tools become available.

Until an official patch is released by Linksys, organizations should implement several specific mitigations: 1) Restrict network access to the update functionality by limiting it to trusted management networks or VPNs, preventing exposure to untrusted networks or the internet. 2) Disable or restrict the TLS-SRP update feature if possible, especially if not actively used for mesh device configuration. 3) Monitor network traffic for unusual or unauthorized commands or update requests targeting the affected devices. 4) Employ network segmentation to isolate mesh network devices from critical infrastructure and sensitive data environments. 5) Maintain strict access controls and authentication policies on router management interfaces. 6) Prepare for rapid deployment of patches once available by inventorying affected devices and establishing update procedures. 7) Consider deploying intrusion detection/prevention systems (IDS/IPS) with signatures for command injection attempts targeting these routers. 8) Educate network administrators about this vulnerability and encourage vigilance for suspicious device behavior. These targeted actions go beyond generic advice by focusing on the specific attack vector and device capabilities.