CVE-2026-27848
Published: 25 February 2026
Summary
CVE-2026-27848 is a critical-severity OS Command Injection (CWE-78) vulnerability in Syss (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-27848 is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) involving OS command injection (CWE-78) due to missing neutralization of special elements in the TLS-SRP handshake of affected devices. This flaw allows injected OS commands to be executed with root privileges. The issue impacts MR9600 firmware version 1.0.4.205530 and MX4200 firmware version 1.0.13.210200.
Attackers can exploit this vulnerability remotely over the network without authentication, privileges, or user interaction, requiring only low complexity. Successful exploitation enables arbitrary OS command execution as the root user, resulting in high-impact compromise of confidentiality, integrity, and availability, such as full control over the device.
Mitigation guidance is provided in the SYSS advisory at https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-010.txt, published ahead of the CVE disclosure on 2026-02-25.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8650
Vulnerability details
Due to missing neutralization of special elements, OS commands can be injected via the handshake of a TLS-SRP connection, which are ultimately run as the root user. This issue affects MR9600: 1.0.4.205530; MX4200: 1.0.13.210200.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated OS command injection (CWE-78) in exposed TLS-SRP service directly enables initial access via public-facing application exploitation (T1190) and arbitrary root-level command execution via Unix shell (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates validation and neutralization of untrusted inputs like special elements in the TLS-SRP handshake to block OS command injection.
Requires identification, reporting, and timely patching of flaws like this command injection vulnerability in affected router firmware.
Enforces least privilege to prevent injected OS commands from executing with unnecessary root privileges on the affected devices.