Critical OS Command Injection in 9Router (CVE-2026-59800)
A critical OS command injection vulnerability (CVE-2026-59800) affects 9Router versions prior to 0.4.44, allowing unauthenticated remote attackers to execute arbitrary OS commands as root via a crafted POST request to the /api/tunnel/tailscale-install endpoint, leading to full system compromise with active exploitation observed.
A severe OS command injection vulnerability, tracked as CVE-2026-59800, has been identified in 9Router versions prior to 0.4.44. This flaw allows an unauthenticated remote attacker to achieve arbitrary OS command execution with root privileges. The vulnerability resides in the POST /api/tunnel/tailscale-install endpoint, which bypasses authorization checks. Attackers can exploit this by submitting a specially crafted sudoPassword field within the request body. This input is then fed directly to a sudo -S sh child process, which, under specific sudo configurations (e.g., NOPASSWD or a valid timestamp cache), interprets the malicious input as a shell command. The Shadowserver Foundation first observed evidence of in-the-wild exploitation on 2026-07-04 (UTC), indicating active threats against vulnerable 9Router instances.
Attack Chain
- An unauthenticated attacker sends a malicious HTTP POST request to the
9Routerappliance's/api/tunnel/tailscale-installendpoint. - The POST request body contains a crafted
sudoPasswordfield designed to inject arbitrary OS commands. - The vulnerable
9Routerapplication receives the request and, due to a lack of authorization checks on this specific route, processes it without authentication. - The application invokes a
sudo -S shchild process, writing the attacker-controlledsudoPasswordfield directly to its standard input (stdin). - If
sudodoes not prompt for a password (e.g., NOPASSWD setting is configured, or a recentsudotimestamp cache exists), theshinterpreter executes thesudoPasswordvalue as arbitrary shell commands. - The injected OS commands are executed with root privileges on the underlying Linux operating system of the
9Routerappliance. - The attacker achieves full system compromise, enabling data exfiltration, further lateral movement, or persistent control of the device.
Impact
The exploitation of CVE-2026-59800, with a CVSS v3.1 Base Score of 9.8 (Critical), results in complete compromise of the affected 9Router appliance. Successful exploitation grants an unauthenticated remote attacker root-level access to the underlying Linux operating system. This allows for arbitrary code execution, enabling attackers to exfiltrate sensitive network configurations, disrupt network services, establish persistent backdoors, or pivot into the internal network. Given that Shadowserver has observed active exploitation, organizations using vulnerable 9Router versions are at immediate risk of severe security breaches and operational disruption.
Recommendation
- Immediately patch
9Routerinstances to version 0.4.44 or newer to addressCVE-2026-59800. - Deploy the Sigma rule provided in this brief to your SIEM to detect exploitation attempts of
CVE-2026-59800via web server logs. - Configure web server or WAF logging to capture HTTP request bodies for the
/api/tunnel/tailscale-installendpoint, if possible, to aid in payload analysis. - Review and enforce strong
sudoconfigurations on Linux systems, ensuring thatNOPASSWDis not used unnecessarily andsudorequires authentication.
Detection coverage 1
Detects CVE-2026-59800 Exploitation Attempts - 9Router OS Command Injection
highDetects HTTP POST requests to the vulnerable /api/tunnel/tailscale-install endpoint in 9Router, indicating attempts to exploit CVE-2026-59800 via OS command injection in the request body.
Detection queries are available on the platform. Get full rules →