Netis AC1200 Router CVE-2026-36538
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from Vendor (mitre) · only source for this CVE.
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
Netis AC1200 Router NC21 V4.0.1.4296 contains a hard-coded root credential stored in /etc/shadow.sample. The password for the root account is set to the trivially weak value root, allowing an attacker with access to the device to authenticate as root and gain full control of the underlying operating system.
AnalysisAI
Hard-coded root credentials in Netis AC1200 Router NC21 firmware V4.0.1.4296 allow attackers who reach the device to log in as root using the trivially guessable password 'root' stored in /etc/shadow.sample. No public exploit identified at time of analysis and EPSS is very low (0.02%), but the credential is static across affected units, making any exposed management interface a one-step compromise. The flaw is classified as CWE-798 (Use of Hard-coded Credentials) and is tagged as an Authentication Bypass.
Technical ContextAI
The affected device is a Netis AC1200 dual-band consumer/SOHO wireless router (model NC21) running firmware V4.0.1.4296, built on an embedded Linux base where Unix-style account information is stored under /etc/shadow. The firmware ships a /etc/shadow.sample file containing a root account whose password hash decrypts to the literal string 'root'. CWE-798 describes exactly this class of defect: credentials embedded in shipped software or firmware that cannot be rotated by ordinary configuration and therefore apply identically to every deployed unit, undermining any per-device authentication assumption. Because Linux PAM and dropbear/openssh-style daemons commonly resolve authentication against this account database, anyone reaching an authentication surface (SSH, telnet, web UI, debug console) that consults the system password file can present root/root and obtain a full OS-level session.
Affected ProductsAI
Netis AC1200 Router, model NC21, firmware version V4.0.1.4296 is the only build named in the disclosure; no CPE strings were provided in the input and other NC21 firmware revisions or sibling AC1200 models cannot be confirmed affected or unaffected from the available data. Vendor reference is the Netis homepage at http://netis-system.com and the third-party disclosure write-up is at https://github.com/sir3ns/cve-disclosure/blob/main/CVE-2026-36538/readme.md.
RemediationAI
No vendor-released patch identified at time of analysis; the Netis reference (http://netis-system.com) and the researcher disclosure (https://github.com/sir3ns/cve-disclosure/blob/main/CVE-2026-36538/readme.md) should be monitored for a firmware update for NC21 superseding V4.0.1.4296. Until a fixed firmware ships, operators should manually change the root password via the device shell if accessible (side effect: may be reverted on factory reset or firmware upgrade), disable remote/WAN management entirely in the router admin UI (side effect: loses remote administration capability), restrict LAN-side access to SSH, telnet, and the web admin to a trusted management VLAN or single admin host via firewall rules (side effect: requires VLAN-capable network), and where feasible replace the device given that hard-coded credentials in consumer routers often indicate broader firmware hygiene issues.
Same weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today