Cyber Resilience

CVE-2026-27850

High

Published: 25 February 2026

Published
25 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0005 14.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27850 is a high-severity an unspecified weakness vulnerability in Syss (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique External Remote Services (T1133); ranked at the 14.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2026-27850, published on 2026-02-25, stems from an improperly configured firewall rule in affected router models. This flaw causes the router to accept any connection on the WAN port when the source port is 5222, thereby exposing all services that are normally restricted to local network access only. The vulnerability impacts MR9600 version 1.0.4.205530 and MX4200 version 1.0.13.210200, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Attackers require only network-level access to the router's WAN interface, with no privileges, user interaction, or special complexity needed. By initiating a connection from source port 5222, remote unauthenticated adversaries can reach internal services, achieving high confidentiality impact through unauthorized exposure of sensitive data or network resources without affecting integrity or availability.

The SYSS advisory at https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-014.txt provides further details on this issue, including potential mitigation steps.

EU & UK References

Vulnerability details

Due to an improperly configured firewall rule, the router will accept any connection on the WAN port with the source port 5222, exposing all services which are normally only accessible through the local network. This issue affects MR9600: 1.0.4.205530; MX4200:…

more

1.0.13.210200.

CWE(s)
None listed

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1133 External Remote Services Persistence
Adversaries may leverage external-facing remote services to initially access and/or persist within a network.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Misconfigured firewall rule exposes internal services on WAN when source port=5222, enabling unauthenticated remote access to services normally restricted to LAN; directly maps to initial access via external remote services or exploitation of now-public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

Affected Assets

Syss
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates monitoring and control of communications at external boundaries to block unauthorized WAN connections to internal services via misconfigured firewall rules.

prevent

Enforces organization-defined information flow control policies to restrict external access to internal-only services on the WAN interface.

prevent

Requires establishment of secure configuration settings for firewall rules to prevent acceptance of WAN connections from source port 5222.

References