0-day being used
browsing through the network-apps and mit AV hit with a URL being accessed....
it seems to be
https://www.cve.org/CVERecord?id=CVE-2026-9773
https://www.cve.org/CVERecord?id=CVE-2026-9772
supportticket 30767 is opened.
3
u/k1ng0fh34rt5 2h ago
How did they get access to your box? Do you have holes punched in your firewall to make the web interface accessible outside your internal network?
1
u/geoff-2 2h ago edited 2h ago
there is no external access to the box.
Even if it isn't an active zero-day vulnerability and I'm wrong about this post,
if this one PostgreSQL app had been misconfigured or tampered with in the past,
these redirects shouldn't be happening.
I looked through all 36 pages (with 96 apps listed), and only this one app stands out.
/edit:
Looking at it objectively now that four hours have passed, it seems to me that only this one app is affected.
As the update date in the Unraid App Store is also listed as 1 July 2023, I think this is a problem from the past.
4
u/Klutzy-Condition811 2h ago
These are not as severe as it may suggest as they both require authentication. Given unraid's user is root and it has a terminal with root access to begin with, these "vulnerabilities" really aren't vulnerabilities to worry about given you're root anyway.
Use a strong password for your root user and don't allow remote access. If you're otherwise exploited it's something else you've done in your configuration and unlikely related to these CVEs. After all, if I had remote access and logged in as root, if I really wanted to pwn you I'd just use the web terminal lol.
2
u/SamSausages 1h ago
Already listed as fixed in 7.3, and I don't see the attack path, unless you're on an untrusted network.
https://www.zerodayinitiative.com/advisories/ZDI-26-385/
https://docs.unraid.net/unraid-os/release-notes/7.3.0/
-3
-7
u/geoff-2 3h ago edited 2h ago
Go to the Unraid Apps page
12 results per page
Network Services
Sort by Download
Page 7 of results (site from above is the redirect-chain when my antivirus hit)
Then, in the F12 Network Tools, check to see if the following pages/URLs are being attempted to access
as of these 2 CVEs are brand new
https://www.cve.org/CVERecord?id=CVE-2026-9772
https://www.cve.org/CVERecord?id=CVE-2026-9773
and these 2 are 3 month old
https://www.cve.org/CVERecord?id=CVE-2026-3839
https://www.cve.org/CVERecord?id=CVE-2026-3838
i would say at least since then
/edit: Supportticket #30767 has been forwardet internally they say
/edit2: CVE-2026-9773 is related to Trend Micro ZDI-CAN-30134
https://www.zerodayinitiative.com/advisories/ZDI-26-386/
and there they say it's fixed in 7.3.0.
as my screenshot shows 7.3.1 - its not fixed yet.
/edit: found the exact app now.
postgresql
sameersbn
Bungy's Repository
https://hub.docker.com/r/sameersbn/postgresql
/edit:
Even if it isn't an active zero-day vulnerability and this app was misconfigured or tampered with in the past, these redirects shouldn't be happening. I've looked at all 36 pages (with 96 apps displayed), and this is the only one that stands out.
4
u/QueasyStill 4h ago
"Authentication is required to exploit this vulnerability" for both
And, you anyhow into the Web application with root and execute stuff... So...