Unraid Web Server ToggleState Command Injection (CVE‑2026‑9773) Enables Remote Code Execution
What It Is — A command‑injection flaw in ToggleState.php of the Unraid web UI allows an authenticated attacker to run arbitrary system commands as the www‑data user.
Exploitability — CVSS 8.8 (AV:N/AC:L/PR:L/UI:N). A proof‑of‑concept exists; exploitation requires a valid Unraid login but no further privileges.
Affected Products — Unraid OS (all versions prior to 7.3.0 stable).
Why It Matters for Compliance & Audit Readiness
- Control Mapping – The vulnerability highlights gaps in your configuration‑management and vulnerability‑remediation controls (SOC 2 CC6.1, CC6.2).
- Continuous Evidence – Demonstrating timely patching and proof of remediation is essential audit evidence for a defensible SOC 2 report.
- Enterprise Buyer Expectations – Prospects increasingly request proof that critical infrastructure is kept up‑to‑date; a missing patch can stall deals.
Recommended Actions
- Verify your Unraid version; upgrade immediately to 7.3.0 stable or later.
- Map the finding to SOC 2 Change Management and Vulnerability Management controls; record the remediation ticket and patch deployment as audit evidence.
- Enable automated monitoring for future Unraid releases and integrate patch status into your continuous compliance dashboard.