CVE-2026-27850

Vulnerability

Overview

The Linksys MR9600 (firmware 1.0.4.205530) and MX4200 (firmware 1.0.13.210200) routers contain a firewall rule that improperly verifies the source of a communication channel (CWE-940). Specifically, the iptables chain wan2self_ports includes a rule that accepts all incoming TCP packets on the WAN interface (eth0) with source port 5222, bypassing the intended LAN-only access restrictions [1].

Exploitation

An attacker on the internet can send packets to the router's WAN IP address using source port 5222. The firewall will accept these packets and forward them to any service listening on the router's IP address (0.0.0.0). No authentication or prior knowledge of internal services is required beyond the router's public IP. This effectively exposes all local services—such as the web administration interface, UPnP, or other daemons—to the open internet [1].

Impact

Successful exploitation allows an unauthenticated remote attacker to interact with services that should only be accessible from the local network. This can lead to unauthorized configuration changes, information disclosure, or further compromise of the router and connected devices. The advisory notes that this is especially critical when combined with other vulnerabilities (e.g., SYSS-2025-009) that may be reachable through the exposed services [1].

Mitigation

Linksys has released firmware updates that correct the firewall rule. The fix was developed by 2025-06-24 and is included in later firmware versions for both MR9600 and MX4200. Users should update to the latest firmware available from the manufacturer's support site. No workaround is available other than applying the patch [1].