External risk intelligence

9Router OS Command Injection via Tailscale Install API

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2026-59800

The vulnerability exists in an unauthenticated API endpoint (/api/tunnel/tailscale-install) within a router product. As this is an internet-facing edge networking device and the endpoint is accessible without authentication, it is designed to be reachable from the network, making public internet exposure a standard deployment scenario.

OS Command Injection

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory details a critical vulnerability in 9Router software that allows unauthenticated remote attackers to execute arbitrary operating system commands. The issue stems from improper handling of a password field in an API request, which can be manipulated to inject and run malicious commands when certain conditions are met. This could lead to a complete compromise of affected devices.

  • Command injection in an unauthenticated API.
  • Impacts internet-facing edge networking devices.
  • Confirm relevance and exposure of affected systems.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can send a specially crafted POST request to the `/api/tunnel/tailscale-install` endpoint. This request's `sudoPassword` field is fed directly into a shell process. If the system is configured such that `sudo` doesn't require a password, the attacker's input is interpreted as shell commands, enabling arbitrary OS command execution on the device.

  • No authentication is required.
  • POST to `/api/tunnel/tailscale-install`.
  • Allows arbitrary OS command execution.

Live Threat

Current exploitation, exposure, and threat context

A remote, unauthenticated attacker could execute arbitrary operating system commands on the affected system when certain conditions allow the `sudoPassword` field to be interpreted as shell commands. This could occur when the system runs as root, NOPASSWD is configured, or a recent sudo timestamp cache exists, enabling the attacker to bypass the need for a password prompt.

  • System commands could be executed.
  • Via unauthenticated API endpoint.
  • Compromise of system integrity.

Operational Fix

Recommended remediation, mitigation, and detection steps

This OS command injection vulnerability in 9Router affects unauthenticated API endpoints, meaning system owners or infrastructure teams managing network edge devices are likely responsible for remediation. The first practical step is to identify all instances of the affected router, determine their network exposure, and ascertain if they are business-critical to prioritize mitigation efforts.

  • Verify router exposure and criticality.
  • Identify accountable router owners.
  • Plan and execute remediation actions.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is 9Router?

9Router is a software application designed for networking equipment. It is used to manage connectivity and edge routing functions. This vulnerability specifically affects the software's ability to handle integrated services like Tailscale installation via its API.

What is the vulnerability in CVE-2026-59800?

This is an OS command injection vulnerability, classified as CWE-78. It means the software mistakenly treats data provided by a user as a system command. By sending specific input through an API, an attacker can trick the underlying operating system into running unauthorized commands with elevated privileges.

How can an attacker trigger this command injection?

An attacker sends a specially crafted POST request to an unauthenticated API endpoint. The attack relies on the system's sudo configuration; it succeeds if the system does not prompt for a password when executing shell commands. If the system forces a password prompt, the injection will not execute as intended because the input cannot be interpreted as a command.

Is my device at risk based on Halo Surface Signal?

Yes, if you use 9Router, your device is at higher risk. According to Halo Surface Signal, this software component is an internet-facing edge networking device. Because the affected API endpoint requires no authentication and is designed to be reachable over a network, these routers are often publicly exposed by default.

What steps should I take if I use 9Router?

First, inventory your network to locate all running instances of 9Router. Assess whether these devices are accessible from the internet and identify the teams responsible for them. Prioritize these systems for patching or configuration changes to ensure the vulnerable API endpoint is secured or restricted from external access.

References