CVE-2026-62328
decolua · 9Router
9Router is vulnerable to unauthenticated information disclosure through API usage endpoints, resulting from missing authorization and improper exposure of sensitive data.
Executive summary
An unauthenticated information disclosure vulnerability in 9Router allows unauthorized access to sensitive private data via API endpoints.
Vulnerability
This vulnerability stems from missing authorization checks, which allows an unauthenticated attacker to access private personal information via API usage endpoints.
Business impact
The CVSS score of 7.5 reflects the high risk posed by unauthenticated access to sensitive data. A successful exploit could lead to a significant data breach, compromising user privacy and potentially violating regulatory compliance requirements regarding data protection.
Remediation
Immediate Action: Upgrade to a version beyond 0.4.41 as soon as the vendor provides a security update, or apply the latest available version if a fix has been integrated.
Proactive Monitoring: Review API access logs for unauthorized requests or suspicious patterns targeting usage endpoints to identify potential reconnaissance or exploitation attempts.
Compensating Controls: Implement strict network-level access controls or API gateway authentication to restrict access to sensitive endpoints until a permanent software patch can be applied.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Given the ease of exploitation for unauthenticated API vulnerabilities, organizations utilizing 9Router should treat this as a high-priority item. Immediate steps to restrict network access to the affected API endpoints are recommended until the vendor releases a formal security patch.