CVE-2026-27849

Name of the Vulnerable Software and Affected Versions MR9600 versions 1.0.4.205530 MX4200 versions 1.0.13.210200

Description The issue stems from a lack of proper handling of special characters, allowing for the injection of OS commands through the update functionality associated with a TLS-SRP connection. This connection is typically used for device configuration within a mesh network. The vulnerability allows an attacker to inject and execute arbitrary OS commands. The vulnerable functionality is related to the update process and the TLS-SRP connection.

Recommendations MR9600 version 1.0.4.205530: At the moment, there is no information about a newer version that contains a fix for this vulnerability. MX4200 version 1.0.13.210200: At the moment, there is no information about a newer version that contains a fix for this vulnerability.