<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>9Router &lt; 0.4.44 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/9router--0.4.44/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 07 Jul 2026 19:18:20 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/9router--0.4.44/feed.xml" rel="self" type="application/rss+xml"/><item><title>Critical OS Command Injection in 9Router (CVE-2026-59800)</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-59800-9router-rce/</link><pubDate>Tue, 07 Jul 2026 19:18:20 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-59800-9router-rce/</guid><description>A critical OS command injection vulnerability (CVE-2026-59800) affects 9Router versions prior to 0.4.44, allowing unauthenticated remote attackers to execute arbitrary OS commands as root via a crafted POST request to the /api/tunnel/tailscale-install endpoint, leading to full system compromise with active exploitation observed.</description><content:encoded><![CDATA[<p>A severe OS command injection vulnerability, tracked as CVE-2026-59800, has been identified in 9Router versions prior to 0.4.44. This flaw allows an unauthenticated remote attacker to achieve arbitrary OS command execution with root privileges. The vulnerability resides in the <code>POST /api/tunnel/tailscale-install</code> endpoint, which bypasses authorization checks. Attackers can exploit this by submitting a specially crafted <code>sudoPassword</code> field within the request body. This input is then fed directly to a <code>sudo -S sh</code> child process, which, under specific <code>sudo</code> configurations (e.g., NOPASSWD or a valid timestamp cache), interprets the malicious input as a shell command. The Shadowserver Foundation first observed evidence of in-the-wild exploitation on 2026-07-04 (UTC), indicating active threats against vulnerable 9Router instances.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker sends a malicious HTTP POST request to the <code>9Router</code> appliance's <code>/api/tunnel/tailscale-install</code> endpoint.</li>
<li>The POST request body contains a crafted <code>sudoPassword</code> field designed to inject arbitrary OS commands.</li>
<li>The vulnerable <code>9Router</code> application receives the request and, due to a lack of authorization checks on this specific route, processes it without authentication.</li>
<li>The application invokes a <code>sudo -S sh</code> child process, writing the attacker-controlled <code>sudoPassword</code> field directly to its standard input (stdin).</li>
<li>If <code>sudo</code> does not prompt for a password (e.g., NOPASSWD setting is configured, or a recent <code>sudo</code> timestamp cache exists), the <code>sh</code> interpreter executes the <code>sudoPassword</code> value as arbitrary shell commands.</li>
<li>The injected OS commands are executed with root privileges on the underlying Linux operating system of the <code>9Router</code> appliance.</li>
<li>The attacker achieves full system compromise, enabling data exfiltration, further lateral movement, or persistent control of the device.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The exploitation of CVE-2026-59800, with a CVSS v3.1 Base Score of 9.8 (Critical), results in complete compromise of the affected 9Router appliance. Successful exploitation grants an unauthenticated remote attacker root-level access to the underlying Linux operating system. This allows for arbitrary code execution, enabling attackers to exfiltrate sensitive network configurations, disrupt network services, establish persistent backdoors, or pivot into the internal network. Given that Shadowserver has observed active exploitation, organizations using vulnerable 9Router versions are at immediate risk of severe security breaches and operational disruption.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately patch <code>9Router</code> instances to version 0.4.44 or newer to address <code>CVE-2026-59800</code>.</li>
<li>Deploy the Sigma rule provided in this brief to your SIEM to detect exploitation attempts of <code>CVE-2026-59800</code> via web server logs.</li>
<li>Configure web server or WAF logging to capture HTTP request bodies for the <code>/api/tunnel/tailscale-install</code> endpoint, if possible, to aid in payload analysis.</li>
<li>Review and enforce strong <code>sudo</code> configurations on Linux systems, ensuring that <code>NOPASSWD</code> is not used unnecessarily and <code>sudo</code> requires authentication.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">threat</category><category>os-command-injection</category><category>rce</category><category>web-vulnerability</category><category>network-appliance</category><category>linux</category></item></channel></rss>