CVE-2026-27850 is a vulnerability identified in Linksys MR9600 (version 1.0.4.205530) and MX4200 (version 1.0.13.210200) routers caused by an improperly configured firewall rule. Specifically, the router erroneously accepts incoming WAN connections if the source port is 5222, a port commonly used for XMPP messaging protocols. This misconfiguration effectively bypasses the intended network boundary protections, exposing internal services that should only be accessible from the local network. The root cause is an improper verification of the source of the communication channel, classified under CWE-940. The vulnerability does not require authentication or user interaction and can be exploited remotely over the internet. The CVSS v3.1 score of 7.5 reflects a high severity due to the high confidentiality impact, as attackers can access sensitive internal services remotely. However, the vulnerability does not impact integrity or availability directly. No public exploits have been reported yet, but the ease of exploitation and the exposure of internal services make this a critical concern for affected users. The vulnerability was published on February 25, 2026, and is currently in the PUBLISHED state with no vendor patches linked yet. Organizations relying on these router models should monitor for updates and consider interim firewall rule adjustments to block suspicious WAN traffic on port 5222.

The primary impact of CVE-2026-27850 is the unauthorized exposure of internal network services to the internet, which can lead to significant confidentiality breaches. Attackers can remotely access services that are normally restricted to trusted local networks, potentially harvesting sensitive information or using these services as pivot points for further internal network compromise. Although the vulnerability does not directly affect data integrity or system availability, the confidentiality loss alone can be severe, especially in enterprise or critical infrastructure environments. The lack of required authentication and user interaction lowers the barrier for exploitation, increasing the risk of automated or opportunistic attacks. Organizations with affected routers face increased risk of data leakage, espionage, or lateral movement by threat actors. This vulnerability could also undermine trust in network security controls and lead to compliance violations if sensitive data is exposed. The absence of known exploits currently provides a window for proactive mitigation, but the risk remains high due to the straightforward nature of the flaw.

To mitigate CVE-2026-27850, organizations should immediately review and modify firewall rules on affected Linksys MR9600 and MX4200 routers to block all unsolicited inbound WAN traffic with source port 5222 unless explicitly required and secured. Network administrators should implement strict ingress filtering to prevent unauthorized external access to internal services. If possible, disable or restrict services that listen on port 5222 or related internal services exposed due to this vulnerability. Monitoring network traffic for unusual connection attempts on port 5222 can help detect exploitation attempts. Organizations should prioritize applying official firmware updates or patches from Linksys once released. In the absence of vendor patches, deploying network-level protections such as upstream firewalls or intrusion prevention systems to block suspicious traffic is recommended. Additionally, segmenting critical internal services and enforcing strong authentication and encryption can reduce the impact if exposure occurs. Regular vulnerability scanning and penetration testing should be conducted to verify that the exposure has been mitigated effectively.