# [CRIT] [GHSA / CRITICAL] CVE-2026-46339: 9router: Unauthenticated Remote Code Execution via unprotected MCP custom plugin routes **Source:** GitHub Security Advisories **Published:** 2026-05-19 **Article:** https://github.com/advisories/GHSA-fhh6-4qxv-rpqj ## Threat Profile 9router: Unauthenticated Remote Code Execution via unprotected MCP custom plugin routes ## Summary 9router exposes two unauthenticated API endpoints that, when chained together, allow any network-adjacent attacker to execute arbitrary OS commands as the user running the 9router process — with **zero prerequisites** and **no credentials required**. The vulnerability exists because the Next.js middleware that enforces authentication (`src/proxy.js`) only guards 8 explicitly listed routes. The a… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-46339` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1021.002** — SMB/Windows Admin Shares - **T1569.002** — Service Execution - **T1219** — Remote Access Software - **T1204.002** — User Execution: Malicious File - **T1059.004** — Unix Shell - **T1071.001** — Web Protocols - **T1095** — Non-Application Layer Protocol ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### 9router unauthenticated RCE — POST /api/cli-tools/cowork-settings with customPlugins.command `UC_251_4` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count, min(_time) as firstTime, max(_time) as lastTime from datamodel=Web.Web where Web.http_method=POST Web.url="*/api/cli-tools/cowork-settings*" by Web.src, Web.dest, Web.url, Web.http_method, Web.dest_port, Web.http_user_agent | `drop_dm_object_name(Web)` | where dest_port=20128 OR isnull(dest_port) | convert ctime(firstTime) ctime(lastTime) ``` ### 9router CVE-2026-46339 — GET /api/mcp/{plugin}/sse triggers stored command spawn() `UC_251_5` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count, min(_time) as firstTime from datamodel=Web.Web where Web.http_method=GET Web.url="*/api/mcp/*/sse*" by Web.src, Web.dest, Web.url, Web.http_method, Web.dest_port, Web.http_user_agent | `drop_dm_object_name(Web)` | where dest_port=20128 OR isnull(dest_port) | convert ctime(firstTime) ``` ### 9router Node.js process spawning shell binary (CVE-2026-46339 post-exploit) `UC_251_6` · phase: **install** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count, min(_time) as firstTime, values(Processes.process) as cmdlines from datamodel=Endpoint.Processes where (Processes.parent_process_name=node OR Processes.parent_process_name="next-server" OR Processes.parent_process="*node*server.js*" OR Processes.parent_process="*9router*") (Processes.process_name=bash OR Processes.process_name=sh OR Processes.process_name=dash OR Processes.process_name=ash OR Processes.process_name=zsh) by Processes.dest, Processes.user, Processes.process_name, Processes.parent_process_name, Processes.process | `drop_dm_object_name(Processes)` | convert ctime(firstTime) ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName =~ "node" or InitiatingProcessCommandLine has_any ("server.js","next-server","9router") | where FileName in~ ("sh","bash","dash","ash","zsh","ksh") | project Timestamp, DeviceName, AccountName, ParentImage = InitiatingProcessFolderPath, ParentCmd = InitiatingProcessCommandLine, ChildImage = FolderPath, ChildCmd = ProcessCommandLine, SHA256 | order by Timestamp desc ``` ### Reverse shell from 9router-spawned shell — outbound TCP from node-child bash `UC_251_7` · phase: **c2** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count, min(_time) as firstTime, values(All_Traffic.dest_port) as ports from datamodel=Network_Traffic.All_Traffic where (All_Traffic.app=bash OR All_Traffic.app=sh OR All_Traffic.app=dash OR All_Traffic.process_name=bash OR All_Traffic.process_name=sh) All_Traffic.dest_category!=internal by All_Traffic.src, All_Traffic.dest, All_Traffic.dest_port, All_Traffic.app, All_Traffic.process_name | `drop_dm_object_name(All_Traffic)` | convert ctime(firstTime) ``` **Defender KQL:** ```kql DeviceNetworkEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName in~ ("sh","bash","dash","ash","zsh") | where InitiatingProcessParentFileName =~ "node" or InitiatingProcessCommandLine has_any ("/dev/tcp/","bash -i","nc -e") | where RemoteIPType == "Public" | project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, RemoteIP, RemotePort, RemoteUrl, Protocol | order by Timestamp desc ``` ### Remote service execution — PsExec / SMB lateral movement `UC_LATERAL_PSEXEC` · phase: **actions** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("psexec.exe","psexesvc.exe","paexec.exe","smbexec.py") OR (Processes.process_name="wmic.exe" AND Processes.process="*/node:*") by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where AccountName !endswith "$" | where FileName in~ ("psexec.exe","psexesvc.exe","paexec.exe","smbexec.py") or (FileName =~ "wmic.exe" and ProcessCommandLine has "/node:") | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName | order by Timestamp desc ``` ### RMM tool installed by non-IT user — remote-access utility for hands-on-keyboard `UC_RMM_TOOLS` · phase: **install** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("AnyDesk.exe","TeamViewer.exe","TeamViewer_Service.exe", "ScreenConnect.ClientService.exe","ConnectWiseControl.ClientService.exe", "atera_agent.exe","SplashtopStreamer.exe","RustDesk.exe","NinjaOne.exe","kaseya*.exe") by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where AccountName !endswith "$" | where FileName in~ ("AnyDesk.exe","TeamViewer.exe","TeamViewer_Service.exe", "ScreenConnect.ClientService.exe","ConnectWiseControl.ClientService.exe", "atera_agent.exe","SplashtopStreamer.exe","RustDesk.exe","NinjaOne.exe") or FileName matches regex @"(?i)kaseya.*\.exe" | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine ``` ### Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-46339: 9router: Unauthenticated Remote Code Execution `UC_251_3` · phase: **exploit** · confidence: **High** **Splunk SPL (CIM):** ```spl ``` Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-46339: 9router: Unauthenticated Remote Code Execution ``` | tstats `summariesonly` count earliest(_time) AS firstTime latest(_time) AS lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN ("next.js","poc.py")) by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name, Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | append [ | tstats `summariesonly` count from datamodel=Endpoint.Filesystem where Filesystem.action IN ("created","modified") AND (Filesystem.file_path="*/dev/tcp/ATTACKER_IP/4444*" OR Filesystem.file_path="*/dev/tcp/...*" OR Filesystem.file_path="*/tmp/pwned.txt*" OR Filesystem.file_path="*/dev/null*" OR Filesystem.file_name IN ("next.js","poc.py")) by Filesystem.dest, Filesystem.user, Filesystem.process_name, Filesystem.file_path, Filesystem.file_name | `drop_dm_object_name(Filesystem)` ] ``` **Defender KQL:** ```kql // Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-46339: 9router: Unauthenticated Remote Code Execution // Hunts the actual binaries / paths / commandline fragments named // in the article instead of a generic technique-class template. DeviceProcessEvents | where Timestamp > ago(30d) | where (FileName in~ ("next.js", "poc.py")) | project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc // File-creation events for the named binaries / paths DeviceFileEvents | where Timestamp > ago(30d) | where ActionType in ("FileCreated","FileModified") | where (FolderPath has_any ("/dev/tcp/ATTACKER_IP/4444", "/dev/tcp/...", "/tmp/pwned.txt", "/dev/null") or FileName in~ ("next.js", "poc.py")) | project Timestamp, DeviceName, AccountName, FolderPath, FileName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-46339` ## Why this matters Severity classified as **CRIT** based on: CVE present, 8 use case(s) fired, 8 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.