Plethore of critical #Linksys MX4200 Wi-Fi router vulnerabilities (that were originally reported to Linksys nearly a year ago!) are still unfixed:
- [SYSS-2025-001] Linksys MX9600/MX4200 - Path Traversal https://seclists.org/fulldisclosure/2026/Feb/10
- [SYSS-2025-002] Linksys MX9600/MX4200 - Missing Authentication for Critical Function https://seclists.org/fulldisclosure/2026/Feb/11
- [SYSS-2025-009] Linksys MX9600/MX4200 - SQL Injection https://seclists.org/fulldisclosure/2026/Feb/12
- [SYSS-2025-010] Linksys MX9600/MX4200 - OS Command Injection https://seclists.org/fulldisclosure/2026/Feb/13
- [SYSS-2025-011] Linksys MX9600/MX4200 - OS Command Injection https://seclists.org/fulldisclosure/2026/Feb/18
- [SYSS-2025-014] Linksys MX4200 - Improper Verification of Source of a Communication Channel
https://seclists.org/fulldisclosure/2026/Feb/19
On first read it might appear that many of these vulnerabilities would only be exploitable by accessing the device non-WAN interface(s) from inside the local network. However, due to the SYSS-2025-014 vulnerability the normally "LAN only RCE" vulnerabilities (SYSS-2025-010 and -011) and SQL injection (SYSS-2025-009) can be performed from the WAN interface (read: the internet). The attacker merely needs to make the connection originate from port 5222 (which is trivial to arrange via local bind before connect).
I recommend retiring the affected devices immediately as the manufacturer clearly has no motivation to fix the issues in a timely manner.
#linksys #fulldisclosure #vulnerability #infosec #cybersecurity
It would be interesting to hear the original justification for adding the following to the #Linksys MX4200 iptables:
-A INPUT -i eth0 -j wan2self
-A wan2self -j wan2self_ports
-A wan2self_ports -p tcp -m tcp --sport 5222 -j xlog_accept_wan2self
-A xlog_accept_wan2self -j ACCEPT
It's not often you see something that is so difficult to argue to be something else than a deliberate #backdoor. https://seclists.org/fulldisclosure/2026/Feb/19
