Login Sign Up

CVE-2026-27850

7.5 HIGH
Authentication Bypass

📋 TL;DR

A firewall misconfiguration allows external attackers to connect to internal services through WAN port 5222, bypassing intended network segmentation. This affects Netgear MR9600 and MX4200 routers running specific vulnerable firmware versions, exposing normally LAN-only services to the internet.

💻 Affected Systems

Products:
  • Netgear MR9600
  • Netgear MX4200
Versions: MR9600: 1.0.4.205530; MX4200: 1.0.13.210200
Operating Systems: Router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects devices with default firewall configuration on specified firmware versions.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of internal network services, data exfiltration, lateral movement, and potential full network takeover.

🟠

Likely Case

Unauthorized access to internal services (NAS, printers, IoT devices, management interfaces) leading to data theft or service disruption.

🟢

If Mitigated

Limited impact if services behind the firewall have strong authentication and additional security controls.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only network access to port 5222 on the WAN interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-014.txt

Restart Required: No

Instructions:

1. Check Netgear support for firmware updates. 2. Download latest firmware. 3. Upload via router admin interface. 4. Apply update.

🔧 Temporary Workarounds

Block port 5222 on WAN interface

linux

Add firewall rule to block incoming connections on port 5222 from WAN

iptables -A INPUT -p tcp --dport 5222 -j DROP
iptables -A INPUT -p udp --dport 5222 -j DROP

Change firewall configuration

all

Modify firewall rules to restrict WAN access to port 5222

🧯 If You Can't Patch

  • Segment affected routers behind additional firewall with strict WAN rules
  • Implement network monitoring for port 5222 connections from external sources

🔍 How to Verify

Check if Vulnerable:

Attempt to connect to router's WAN IP on port 5222 using telnet or nc from external network

Check Version:

Check router admin interface for firmware version

Verify Fix Applied:

Test that external connections to port 5222 on WAN interface are blocked

📡 Detection & Monitoring

Log Indicators:

  • Unexpected connections to port 5222
  • Firewall rule violations for port 5222

Network Indicators:

  • External IPs connecting to internal port 5222
  • Unusual traffic patterns on port 5222

SIEM Query:

source_port=5222 AND dest_ip=INTERNAL_NETWORK

📊 Metadata

CVE ID: CVE-2026-27850
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Published: February 25, 2026
Last Updated: February 27, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON