Cyber Resilience

CVE-2026-27849

CriticalRCE

Published: 25 February 2026

Published
25 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0031 23.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-27849 is a critical-severity OS Command Injection (CWE-78) vulnerability in Syss (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-27849 is a critical OS command injection vulnerability (CWE-78) stemming from missing neutralization of special elements in the update functionality of a TLS-SRP connection, which is used for configuring devices inside a mesh network. Assigned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), it affects specific firmware versions: MR9600 1.0.4.205530 and MX4200 1.0.13.210200. Published on 2026-02-25, this flaw allows arbitrary OS command execution on impacted devices.

A remote, unauthenticated attacker can exploit the vulnerability over the network with low complexity and no user interaction required. By injecting malicious commands via the TLS-SRP update mechanism, the attacker can achieve high-impact compromise, including unauthorized access to sensitive data (C:H), modification of system behavior (I:H), and disruption of device operations (A:H), potentially leading to full control over the affected mesh network devices.

The SYSS advisory provides further details on the issue, available at https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-011.txt.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Due to missing neutralization of special elements, OS commands can be injected via the update functionality of a TLS-SRP connection, which is normally used for configuring devices inside the mesh network. This issue affects MR9600: 1.0.4.205530; MX4200: 1.0.13.210200.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Remote unauthenticated OS command injection (CWE-78) in network-exposed update functionality directly enables T1190 for initial access and T1059.004 for arbitrary Unix shell command execution on the device.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2018-25115Shared CWE-78
CVE-2025-24382Shared CWE-78
CVE-2026-29058Shared CWE-78
CVE-2024-57016Shared CWE-78
CVE-2024-46484Shared CWE-78
CVE-2015-10145Shared CWE-78
CVE-2020-37002Shared CWE-78
CVE-2026-27848Shared CWE-78
CVE-2025-0356Shared CWE-78
CVE-2025-13942Shared CWE-78

Affected Assets

Syss
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the missing neutralization of special elements in the TLS-SRP update inputs to prevent OS command injection.

prevent

Requires monitoring, testing, and installation of firmware patches to remediate the command injection vulnerability in affected MR9600 and MX4200 versions.

prevent

Restricts inputs to the update functionality to permitted types and formats, mitigating injection of malicious OS commands via disallowed special elements.

References