Cyber Resilience

CVE-2026-27848

CriticalRCE

Published: 25 February 2026

Published
25 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0032 23.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-27848 is a critical-severity OS Command Injection (CWE-78) vulnerability in Syss (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-27848 is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) involving OS command injection (CWE-78) due to missing neutralization of special elements in the TLS-SRP handshake of affected devices. This flaw allows injected OS commands to be executed with root privileges. The issue impacts MR9600 firmware version 1.0.4.205530 and MX4200 firmware version 1.0.13.210200.

Attackers can exploit this vulnerability remotely over the network without authentication, privileges, or user interaction, requiring only low complexity. Successful exploitation enables arbitrary OS command execution as the root user, resulting in high-impact compromise of confidentiality, integrity, and availability, such as full control over the device.

Mitigation guidance is provided in the SYSS advisory at https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-010.txt, published ahead of the CVE disclosure on 2026-02-25.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Due to missing neutralization of special elements, OS commands can be injected via the handshake of a TLS-SRP connection, which are ultimately run as the root user. This issue affects MR9600: 1.0.4.205530; MX4200: 1.0.13.210200.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Remote unauthenticated OS command injection (CWE-78) in exposed TLS-SRP service directly enables initial access via public-facing application exploitation (T1190) and arbitrary root-level command execution via Unix shell (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2018-25115Shared CWE-78
CVE-2025-24382Shared CWE-78
CVE-2026-29058Shared CWE-78
CVE-2024-57016Shared CWE-78
CVE-2024-46484Shared CWE-78
CVE-2015-10145Shared CWE-78
CVE-2020-37002Shared CWE-78
CVE-2025-0356Shared CWE-78
CVE-2025-13942Shared CWE-78
CVE-2025-7404Shared CWE-78

Affected Assets

Syss
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates validation and neutralization of untrusted inputs like special elements in the TLS-SRP handshake to block OS command injection.

prevent

Requires identification, reporting, and timely patching of flaws like this command injection vulnerability in affected router firmware.

prevent

Enforces least privilege to prevent injected OS commands from executing with unnecessary root privileges on the affected devices.

References