Cyber Resilience

CVE-2026-27847

Critical

Published: 25 February 2026

Published
25 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0032 23.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-27847 is a critical-severity SQL Injection (CWE-89) vulnerability in Syss (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-27847 is a SQL injection vulnerability (CWE-89) caused by improper neutralization of special elements in the TLS-SRP handshake process. This flaw allows SQL statements to be injected, enabling attackers to manipulate database interactions during authentication. The vulnerability affects MR9600 firmware version 1.0.4.205530 and MX4200 firmware version 1.0.13.210200, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical.

A remote, unauthenticated attacker can exploit this issue over the network with low complexity and no user interaction required. By injecting known credentials via the TLS-SRP handshake, the attacker can trick the database into validating them, successfully completing the handshake and gaining access to the protected service. This achieves high-impact confidentiality, integrity, and availability compromises.

The SYSS advisory at https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-009.txt provides further details on the vulnerability; security practitioners should consult it for recommended mitigations and any available patches.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Due to improper neutralization of special elements, SQL statements can be injected via the handshake of a TLS-SRP connection. This can be used to inject known credentials into the database that can be utilized to successfully complete the handshake and…

more

use the protected service. This issue affects MR9600: 1.0.4.205530; MX4200: 1.0.13.210200.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated SQL injection in TLS-SRP authentication handshake of network-exposed firmware directly enables initial access via exploitation of a public-facing application/service.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89
CVE-2025-28939Shared CWE-89
CVE-2021-47872Shared CWE-89
CVE-2025-28873Shared CWE-89
CVE-2019-25636Shared CWE-89
CVE-2026-32611Shared CWE-89
CVE-2026-42755Shared CWE-89
CVE-2024-53544Shared CWE-89
CVE-2026-21410Shared CWE-89

Affected Assets

Syss
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 mandates validation and sanitization of inputs from external sources like the TLS-SRP handshake to prevent SQL injection by neutralizing special elements used in database queries.

prevent

SI-2 requires timely identification, reporting, and patching of flaws such as this SQL injection vulnerability in the affected MR9600 and MX4200 firmware.

preventdetect

RA-5 employs vulnerability scanning to identify SQL injection flaws in authentication processes like TLS-SRP handshakes and triggers remediation.

References