{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/9router--0.4.44/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-59800"}],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["9Router \u003c 0.4.44"],"_cs_severities":["critical"],"_cs_tags":["os-command-injection","rce","web-vulnerability","network-appliance","linux"],"_cs_type":"threat","_cs_vendors":["9Router"],"content_html":"\u003cp\u003eA severe OS command injection vulnerability, tracked as CVE-2026-59800, has been identified in 9Router versions prior to 0.4.44. This flaw allows an unauthenticated remote attacker to achieve arbitrary OS command execution with root privileges. The vulnerability resides in the \u003ccode\u003ePOST /api/tunnel/tailscale-install\u003c/code\u003e endpoint, which bypasses authorization checks. Attackers can exploit this by submitting a specially crafted \u003ccode\u003esudoPassword\u003c/code\u003e field within the request body. This input is then fed directly to a \u003ccode\u003esudo -S sh\u003c/code\u003e child process, which, under specific \u003ccode\u003esudo\u003c/code\u003e configurations (e.g., NOPASSWD or a valid timestamp cache), interprets the malicious input as a shell command. The Shadowserver Foundation first observed evidence of in-the-wild exploitation on 2026-07-04 (UTC), indicating active threats against vulnerable 9Router instances.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a malicious HTTP POST request to the \u003ccode\u003e9Router\u003c/code\u003e appliance's \u003ccode\u003e/api/tunnel/tailscale-install\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request body contains a crafted \u003ccode\u003esudoPassword\u003c/code\u003e field designed to inject arbitrary OS commands.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003e9Router\u003c/code\u003e application receives the request and, due to a lack of authorization checks on this specific route, processes it without authentication.\u003c/li\u003e\n\u003cli\u003eThe application invokes a \u003ccode\u003esudo -S sh\u003c/code\u003e child process, writing the attacker-controlled \u003ccode\u003esudoPassword\u003c/code\u003e field directly to its standard input (stdin).\u003c/li\u003e\n\u003cli\u003eIf \u003ccode\u003esudo\u003c/code\u003e does not prompt for a password (e.g., NOPASSWD setting is configured, or a recent \u003ccode\u003esudo\u003c/code\u003e timestamp cache exists), the \u003ccode\u003esh\u003c/code\u003e interpreter executes the \u003ccode\u003esudoPassword\u003c/code\u003e value as arbitrary shell commands.\u003c/li\u003e\n\u003cli\u003eThe injected OS commands are executed with root privileges on the underlying Linux operating system of the \u003ccode\u003e9Router\u003c/code\u003e appliance.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves full system compromise, enabling data exfiltration, further lateral movement, or persistent control of the device.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe exploitation of CVE-2026-59800, with a CVSS v3.1 Base Score of 9.8 (Critical), results in complete compromise of the affected 9Router appliance. Successful exploitation grants an unauthenticated remote attacker root-level access to the underlying Linux operating system. This allows for arbitrary code execution, enabling attackers to exfiltrate sensitive network configurations, disrupt network services, establish persistent backdoors, or pivot into the internal network. Given that Shadowserver has observed active exploitation, organizations using vulnerable 9Router versions are at immediate risk of severe security breaches and operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch \u003ccode\u003e9Router\u003c/code\u003e instances to version 0.4.44 or newer to address \u003ccode\u003eCVE-2026-59800\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided in this brief to your SIEM to detect exploitation attempts of \u003ccode\u003eCVE-2026-59800\u003c/code\u003e via web server logs.\u003c/li\u003e\n\u003cli\u003eConfigure web server or WAF logging to capture HTTP request bodies for the \u003ccode\u003e/api/tunnel/tailscale-install\u003c/code\u003e endpoint, if possible, to aid in payload analysis.\u003c/li\u003e\n\u003cli\u003eReview and enforce strong \u003ccode\u003esudo\u003c/code\u003e configurations on Linux systems, ensuring that \u003ccode\u003eNOPASSWD\u003c/code\u003e is not used unnecessarily and \u003ccode\u003esudo\u003c/code\u003e requires authentication.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-07T19:18:20Z","date_published":"2026-07-07T19:18:20Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-59800-9router-rce/","summary":"A critical OS command injection vulnerability (CVE-2026-59800) affects 9Router versions prior to 0.4.44, allowing unauthenticated remote attackers to execute arbitrary OS commands as root via a crafted POST request to the /api/tunnel/tailscale-install endpoint, leading to full system compromise with active exploitation observed.","title":"Critical OS Command Injection in 9Router (CVE-2026-59800)","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-59800-9router-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - 9Router \u003c 0.4.44","version":"https://jsonfeed.org/version/1.1"}