CVE-2026-27849
Published: 25 February 2026
Summary
CVE-2026-27849 is a critical-severity OS Command Injection (CWE-78) vulnerability in Syss (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-27849 is a critical OS command injection vulnerability (CWE-78) stemming from missing neutralization of special elements in the update functionality of a TLS-SRP connection, which is used for configuring devices inside a mesh network. Assigned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), it affects specific firmware versions: MR9600 1.0.4.205530 and MX4200 1.0.13.210200. Published on 2026-02-25, this flaw allows arbitrary OS command execution on impacted devices.
A remote, unauthenticated attacker can exploit the vulnerability over the network with low complexity and no user interaction required. By injecting malicious commands via the TLS-SRP update mechanism, the attacker can achieve high-impact compromise, including unauthorized access to sensitive data (C:H), modification of system behavior (I:H), and disruption of device operations (A:H), potentially leading to full control over the affected mesh network devices.
The SYSS advisory provides further details on the issue, available at https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-011.txt.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8688
Vulnerability details
Due to missing neutralization of special elements, OS commands can be injected via the update functionality of a TLS-SRP connection, which is normally used for configuring devices inside the mesh network. This issue affects MR9600: 1.0.4.205530; MX4200: 1.0.13.210200.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated OS command injection (CWE-78) in network-exposed update functionality directly enables T1190 for initial access and T1059.004 for arbitrary Unix shell command execution on the device.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the missing neutralization of special elements in the TLS-SRP update inputs to prevent OS command injection.
Requires monitoring, testing, and installation of firmware patches to remediate the command injection vulnerability in affected MR9600 and MX4200 versions.
Restricts inputs to the update functionality to permitted types and formats, mitigating injection of malicious OS commands via disallowed special elements.