Skip to main content

Netis AC1200 Router CVE-2026-36539

HIGH
Information Exposure (CWE-200)
2026-05-27 cve@mitre.org
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Analysis Generated
May 28, 2026 - 14:22 vuln.today
CVSS changed
May 28, 2026 - 14:22 NVD
7.3 (HIGH)
CVE Published
May 27, 2026 - 14:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Netis AC1200 Router NC21 V4.0.1.4296 exposes a CGI endpoint /cgi-bin/skk_get.cgi that returns the entire router configuration as a JSON response with no authentication required. Any attacker on the LAN can send a single HTTP GET request and instantly retrieve administrator credentials, WiFi passwords, PPPoE credentials, DDNS credentials, and a full map of all connected devices.

AnalysisAI

Unauthenticated configuration disclosure in the Netis AC1200 Router NC21 (firmware V4.0.1.4296) allows any LAN-connected attacker to retrieve the device's full configuration via a single HTTP GET to /cgi-bin/skk_get.cgi. The dump exposes administrator credentials, WiFi and PPPoE passwords, DDNS credentials, and a map of connected clients, enabling immediate device takeover and lateral movement. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.02%, 6th percentile).

Technical ContextAI

The vulnerable component is a CGI handler in the router's embedded web management interface - a common pattern in SOHO routers where Boa, mini_httpd, or similar lightweight web servers dispatch URLs under /cgi-bin/ to binaries or scripts that emit JSON for the management UI. The root cause is CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor): skk_get.cgi serializes the running configuration and returns it without any authentication or session check, meaning the endpoint trusts that the LAN is a security boundary. No CPE was published with the advisory, so the only confirmed affected target is the model and firmware build named in the description (Netis AC1200 NC21, firmware V4.0.1.4296).

Affected ProductsAI

The disclosure names the Netis AC1200 Router, model NC21, running firmware version V4.0.1.4296. No NVD CPE string was attached to the reference set, so other AC1200 hardware revisions or firmware builds may or may not share the vulnerable skk_get.cgi handler - owners of other Netis AC1200 variants should test the endpoint directly. The only published reference is the researcher's disclosure at https://github.com/sir3ns/cve-disclosure/blob/main/CVE-2026-36539/readme.md; no Netis vendor advisory URL is present in the available data.

RemediationAI

No vendor-released patch identified at time of analysis. Until Netis publishes updated firmware for the AC1200 NC21, the practical compensating controls are: restrict who can reach the router's HTTP management interface by isolating untrusted clients onto a dedicated guest SSID/VLAN that cannot route to the router's management IP (side effect: guests lose access to LAN-side services they may have relied on); confirm the WAN-side management interface is disabled so the endpoint is not internet-reachable; and rotate the admin password, WiFi PSK, PPPoE credentials, and DDNS credentials after any suspected exposure since they should be considered already compromised on any LAN where an untrusted device has been present. Monitor https://github.com/sir3ns/cve-disclosure/blob/main/CVE-2026-36539/readme.md and the Netis support site for a firmware release addressing the missing authentication check on /cgi-bin/skk_get.cgi.

Share

CVE-2026-36539 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy