Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
OpenWRT Devices Can Be Hijacked by Malicious Updates
CVE-2026-27849
Summary
A security issue exists in OpenWRT devices running certain versions, specifically MR9600 and MX4200. This issue allows attackers to send malicious updates that can execute OS commands, potentially taking control of the device. Manufacturers should update to the latest software versions to prevent this.
Original title
Due to missing neutralization of special elements, OS commands can be injected via the update functionality of a TLS-SRP connection, which is normally used for configuring devices inside the mesh n...
Original description
Due to missing neutralization of special elements, OS commands can be injected via the update functionality of a TLS-SRP connection, which is normally used for configuring devices inside the mesh network.
This issue affects MR9600: 1.0.4.205530; MX4200: 1.0.13.210200.
This issue affects MR9600: 1.0.4.205530; MX4200: 1.0.13.210200.
nvd CVSS3.1
9.8
Vulnerability type
CWE-78
OS Command Injection
Published: 25 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026