What is the CVSS score of CVE-2026-36538?

CVE-2026-36538 has a CVSS 3.1 base score of 7.3 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L. EPSS exploitation probability: 0.0%.

Which versions of Netis AC1200 Router are affected by CVE-2026-36538?

All Netis AC1200 Router NC21 devices running firmware V4.0.1.4296 in your environment share identical hard-coded administrative credentials, creating critical exposure if the management interface is…

Netis AC1200 Router CVE-2026-36538

HIGH

Use of Hard-coded Credentials (CWE-798)

2026-05-27 cve@mitre.org

Authentication Bypass

7.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Analysis Generated

May 28, 2026 - 14:22 vuln.today

CVSS changed

May 28, 2026 - 14:22 NVD

7.3 (HIGH)

CVE Published

May 27, 2026 - 14:16 nvd

UNKNOWN (no severity yet)

DescriptionNVD

Netis AC1200 Router NC21 V4.0.1.4296 contains a hard-coded root credential stored in /etc/shadow.sample. The password for the root account is set to the trivially weak value root, allowing an attacker with access to the device to authenticate as root and gain full control of the underlying operating system.

AnalysisAI

Hard-coded root credentials in Netis AC1200 Router NC21 firmware V4.0.1.4296 allow attackers who reach the device to log in as root using the trivially guessable password 'root' stored in /etc/shadow.sample. No public exploit identified at time of analysis and EPSS is very low (0.02%), but the credential is static across affected units, making any exposed management interface a one-step compromise. …

RemediationAI

Within 24 hours: Identify all Netis AC1200 Router NC21 devices running firmware V4.0.1.4296; immediately restrict management interface access via firewall rules to known trusted internal IP ranges only; disable remote management features. Within 7 days: Implement network segmentation isolating management ports from general network traffic; enable authentication logging on management interfaces; document all access points and review logs for unauthorized access attempts. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-36538 vulnerability details – vuln.today

Back