CVE-2026-27847 – This vulnerability allows SQL injection through... (How to Fix)

📋 TL;DR

This vulnerability allows SQL injection through TLS-SRP handshake parameters, enabling attackers to inject known credentials into the database. Successful exploitation allows unauthorized access to protected services. Affects specific versions of MR9600 and MX4200 devices.

💻 Affected Systems

Products:

MR9600
MX4200

Versions: MR9600: 1.0.4.205530; MX4200: 1.0.13.210200

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects devices with TLS-SRP enabled and using the vulnerable firmware versions.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of TLS-SRP protected services, unauthorized access to sensitive systems, and potential lateral movement within the network.

🟠

Likely Case

Unauthorized access to specific services protected by TLS-SRP, potentially leading to data exposure or service disruption.

🟢

If Mitigated

Limited impact with proper input validation and database access controls in place.

🌐 Internet-Facing: HIGH - TLS-SRP connections are typically internet-facing authentication mechanisms.

🏢 Internal Only: MEDIUM - Internal TLS-SRP services could still be targeted by internal threats.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires understanding of TLS-SRP protocol and SQL injection techniques against the specific implementation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified in available information

Vendor Advisory: Not provided in references

Restart Required: Yes

Instructions:

1. Check vendor website for security updates
2. Apply firmware update if available
3. Restart affected devices
4. Verify TLS-SRP functionality post-update

🔧 Temporary Workarounds

Disable TLS-SRP

all

Disable TLS-SRP authentication if not required for your use case

Check device configuration for TLS-SRP settings and disable

Network Segmentation

all

Restrict access to TLS-SRP services to trusted networks only

Configure firewall rules to limit access to TLS-SRP ports

🧯 If You Can't Patch

Implement WAF rules to detect and block SQL injection patterns in TLS handshakes
Monitor database logs for unusual credential insertions or authentication attempts

🔍 How to Verify

Check if Vulnerable:

Check device firmware version against affected versions list

Check Version:

Check device web interface or CLI for firmware version information

Verify Fix Applied:

Verify firmware version is updated beyond affected versions and test TLS-SRP functionality

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Failed TLS-SRP handshakes with malformed parameters
Unexpected credential creation in authentication logs

Network Indicators:

Unusual TLS handshake patterns
SQL injection patterns in TLS-SRP traffic

SIEM Query:

Search for 'TLS-SRP' AND ('SQL' OR 'injection') in network traffic logs

📊 Metadata

CVE ID: CVE-2026-27847

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: February 25, 2026

Last Updated: February 27, 2026

🔗 References

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-009.txt

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-27847, you might also want to check these: