CVE-2026-55501

decolua · 9router

9router fails to properly restrict excessive authentication attempts, potentially allowing attackers to conduct brute-force or credential-stuffing attacks against the system.

Executive summary

An improper restriction of authentication attempts in 9router could allow an unauthenticated attacker to brute-force system credentials.

Vulnerability

The application lacks adequate mechanisms to limit the rate or number of authentication attempts (CWE-307). This allows an unauthenticated attacker to submit repeated login attempts, significantly increasing the likelihood of successfully guessing valid credentials.

Business impact

The CVSS score of 7.3 reflects the high risk of account takeover via brute-force. Successful exploitation could lead to full unauthorized access to the router’s administrative functions, potentially resulting in complete compromise of the routing data and the AI token-saving configuration.

Remediation

Immediate Action: Update the 9router package to version 0.4.77 or later to implement the required authentication rate limiting.

Proactive Monitoring: Monitor authentication logs for high volumes of failed login attempts from single or distributed IP addresses.

Compensating Controls: Implement an external rate-limiting mechanism, such as an identity-aware proxy or a Web Application Firewall (WAF) rule, to block IPs showing suspicious authentication activity.

Exploitation status

Public Exploit Available: No

Analyst recommendation

The availability of a proof-of-concept and the lack of native rate limiting make this a priority for remediation. Organizations should update to the patched version immediately to prevent automated credential-guessing attacks.