CVE-2026-27850

High

Published: 25 February 2026

Published

25 February 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0005 14.2th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27850 is a high-severity an unspecified weakness vulnerability in Syss (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique External Remote Services (T1133); ranked at the 14.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to External Remote Services (T1133) and 1 other technique.

Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1133 External Remote Services Persistence

Adversaries may leverage external-facing remote services to initially access and/or persist within a network.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Misconfigured firewall rule exposes internal services on WAN when source port=5222, enabling unauthenticated remote access to services normally restricted to LAN; directly maps to initial access via external remote services or exploitation of now-public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Due to an improperly configured firewall rule, the router will accept any connection on the WAN port with the source port 5222, exposing all services which are normally only accessible through the local network. This issue affects MR9600: 1.0.4.205530; MX4200:…

1.0.13.210200.

Deeper analysisAI

CVE-2026-27850, published on 2026-02-25, stems from an improperly configured firewall rule in affected router models. This flaw causes the router to accept any connection on the WAN port when the source port is 5222, thereby exposing all services that are normally restricted to local network access only. The vulnerability impacts MR9600 version 1.0.4.205530 and MX4200 version 1.0.13.210200, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Attackers require only network-level access to the router's WAN interface, with no privileges, user interaction, or special complexity needed. By initiating a connection from source port 5222, remote unauthenticated adversaries can reach internal services, achieving high confidentiality impact through unauthorized exposure of sensitive data or network resources without affecting integrity or availability.

The SYSS advisory at https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-014.txt provides further details on this issue, including potential mitigation steps.

Details

CWE(s): None listed

Affected Products

Syss

—

inferred from references and description; NVD did not file a CPE for this CVE

References

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-014.txt
a6d3dc9e-0591-4a13-bce7-0f5b31ff6158