Skip to content
Threat Feed
critical threat exploited

Critical OS Command Injection in 9Router (CVE-2026-59800)

A critical OS command injection vulnerability (CVE-2026-59800) affects 9Router versions prior to 0.4.44, allowing unauthenticated remote attackers to execute arbitrary OS commands as root via a crafted POST request to the /api/tunnel/tailscale-install endpoint, leading to full system compromise with active exploitation observed.

A severe OS command injection vulnerability, tracked as CVE-2026-59800, has been identified in 9Router versions prior to 0.4.44. This flaw allows an unauthenticated remote attacker to achieve arbitrary OS command execution with root privileges. The vulnerability resides in the POST /api/tunnel/tailscale-install endpoint, which bypasses authorization checks. Attackers can exploit this by submitting a specially crafted sudoPassword field within the request body. This input is then fed directly to a sudo -S sh child process, which, under specific sudo configurations (e.g., NOPASSWD or a valid timestamp cache), interprets the malicious input as a shell command. The Shadowserver Foundation first observed evidence of in-the-wild exploitation on 2026-07-04 (UTC), indicating active threats against vulnerable 9Router instances.

Attack Chain

  1. An unauthenticated attacker sends a malicious HTTP POST request to the 9Router appliance's /api/tunnel/tailscale-install endpoint.
  2. The POST request body contains a crafted sudoPassword field designed to inject arbitrary OS commands.
  3. The vulnerable 9Router application receives the request and, due to a lack of authorization checks on this specific route, processes it without authentication.
  4. The application invokes a sudo -S sh child process, writing the attacker-controlled sudoPassword field directly to its standard input (stdin).
  5. If sudo does not prompt for a password (e.g., NOPASSWD setting is configured, or a recent sudo timestamp cache exists), the sh interpreter executes the sudoPassword value as arbitrary shell commands.
  6. The injected OS commands are executed with root privileges on the underlying Linux operating system of the 9Router appliance.
  7. The attacker achieves full system compromise, enabling data exfiltration, further lateral movement, or persistent control of the device.

Impact

The exploitation of CVE-2026-59800, with a CVSS v3.1 Base Score of 9.8 (Critical), results in complete compromise of the affected 9Router appliance. Successful exploitation grants an unauthenticated remote attacker root-level access to the underlying Linux operating system. This allows for arbitrary code execution, enabling attackers to exfiltrate sensitive network configurations, disrupt network services, establish persistent backdoors, or pivot into the internal network. Given that Shadowserver has observed active exploitation, organizations using vulnerable 9Router versions are at immediate risk of severe security breaches and operational disruption.

Recommendation

  • Immediately patch 9Router instances to version 0.4.44 or newer to address CVE-2026-59800.
  • Deploy the Sigma rule provided in this brief to your SIEM to detect exploitation attempts of CVE-2026-59800 via web server logs.
  • Configure web server or WAF logging to capture HTTP request bodies for the /api/tunnel/tailscale-install endpoint, if possible, to aid in payload analysis.
  • Review and enforce strong sudo configurations on Linux systems, ensuring that NOPASSWD is not used unnecessarily and sudo requires authentication.

Detection coverage 1

Detects CVE-2026-59800 Exploitation Attempts - 9Router OS Command Injection

high

Detects HTTP POST requests to the vulnerable /api/tunnel/tailscale-install endpoint in 9Router, indicating attempts to exploit CVE-2026-59800 via OS command injection in the request body.

sigma tactics: initial_access techniques: T1190 sources: webserver

Detection queries are available on the platform. Get full rules →