CVE-2026-59800

decolua · 9router

9Router contains an OS command injection vulnerability in an unauthenticated API endpoint, allowing remote attackers to execute arbitrary system commands as root.

Executive summary

A critical OS command injection vulnerability in 9Router allows remote, unauthenticated attackers to achieve full system compromise via arbitrary command execution.

Vulnerability

The /api/tunnel/tailscale-install endpoint fails to authenticate requests and improperly sanitizes the sudoPassword input, which is passed directly to a shell process, enabling command injection.

Business impact

The CVSS score of 9.8 reflects the high risk of this vulnerability, which allows an attacker to execute commands with root privileges. Successful exploitation can lead to total system takeover, lateral movement within the network, and the exfiltration of sensitive configuration or user data. Confirmed exploitation in the wild further elevates the urgency of this advisory.

Remediation

Immediate Action: Update 9router to version 0.4.44 or later immediately to patch the affected API endpoint.

Proactive Monitoring: Inspect system logs for suspicious process spawning, particularly those involving sudo or shell execution triggered by the web service, as exploitation has been observed in the wild.

Compensating Controls: Restrict network access to the 9Router management interface and associated API endpoints to authorized IP addresses only via network-level firewalls.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Given the confirmed active exploitation of this flaw, this issue should be treated with the highest level of urgency. Organizations running 9Router must apply the vendor-provided update immediately to neutralize this critical command injection risk.