## Overview
Decolua has released a critical security advisory for its 9Router product. The vulnerability, tracked as CVE-2026-59800, affects versions prior to 0.4.44. It allows unauthenticated remote attackers to execute arbitrary OS commands.
## Technical Details
The vulnerability resides in the unauthenticated POST /api/tunnel/tailscale-install endpoint. This endpoint lacks proper authorization checks due to being outside the dashboard middleware matcher. The sudoPassword field from the request body is piped into a 'sudo -S sh' child process. If the sudo command does not prompt for a password—due to configurations like NOPASSWD or a valid sudo timestamp—the input is treated as a shell command. This allows attackers to run commands with root privileges.
## Impact
Successful exploitation of CVE-2026-59800 can lead to complete system compromise. Attackers can execute any command on the affected system, potentially leading to data breaches, system manipulation, or further network infiltration. The vulnerability has a CVSS score of 9.2, indicating its critical nature.
## Mitigation
Defenders should prioritize updating affected systems to version 0.4.44 or later. Immediate action is necessary to close this vulnerability. Additionally, review firewall rules and network segmentation to limit exposure of the vulnerable endpoint. Implementing strict input validation and monitoring for unusual activity can further mitigate risks.
CSURFACE Threat Sensor