Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network, unauthenticated (PR:N/UI:N) with root-level C/I/A impact, but AC:H because execution requires the non-default sudo condition (root/NOPASSWD/cached timestamp); no scope change so S:U.
Primary rating from Vendor (vulncheck).
CVSS VectorVendor: vulncheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
9Router before 0.4.44 contains an OS command injection vulnerability in the unauthenticated POST /api/tunnel/tailscale-install endpoint (this route is not covered by the dashboard middleware matcher, so no authorization check is applied). The sudoPassword field from the request body is written to the stdin of a 'sudo -S sh' child process. When sudo does not prompt for a password (the process runs as root, NOPASSWD is configured, or a recent sudo timestamp cache exists), the sudoPassword value is interpreted by sh as a shell command, allowing a remote unauthenticated attacker to execute arbitrary OS commands. Exploitation evidence was first observed by the Shadowserver Foundation on 2026-07-04 (UTC).
AnalysisAI
Remote unauthenticated OS command injection in 9Router before 0.4.44 lets attackers run arbitrary commands as root via the POST /api/tunnel/tailscale-install endpoint, which is excluded from the dashboard authorization middleware. The attacker-supplied sudoPassword field is piped to the stdin of a 'sudo -S sh' child process; when sudo does not prompt for a password, sh interprets that value as a shell command. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires reaching the unauthenticated POST /api/tunnel/tailscale-install endpoint over the network (this specific route is not covered by the dashboard middleware matcher, so no authentication is needed) and supplying a crafted sudoPassword body field. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This is a genuine high-priority issue rather than an inflated CVSS number: the CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N) describes network-reachable, low-complexity, unauthenticated exploitation with high confidentiality, integrity and availability impact, and code execution occurs as root. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker scanning the internet for exposed 9Router dashboards sends a single crafted POST to /api/tunnel/tailscale-install with a sudoPassword body value containing shell metacharacters/commands. Because the route bypasses the dashboard authorization middleware and the underlying 'sudo -S sh' does not prompt (the service runs as root or has cached/NOPASSWD sudo), the injected string is executed by sh as root, giving full command execution with no authentication or user interaction. … |
| Remediation | Upgrade to 9Router 0.4.44 or later - Vendor-released patch: 0.4.44 - per GitHub advisory GHSA-g6g7-pvmx-m74p (https://github.com/decolua/9router/security/advisories/GHSA-g6g7-pvmx-m74p) and the VulnCheck advisory (https://www.vulncheck.com/advisories/9router-os-command-injection-via-sudopassword-parameter-in-tailscale-install-endpoint). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all 9Router instances running versions 0.4.43 or earlier and implement emergency network access controls restricting access to the vulnerable POST /api/tunnel/tailscale-install endpoint. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42073
GHSA-g6g7-pvmx-m74p