Netis AC1200 Router CVE-2026-36539
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
Netis AC1200 Router NC21 V4.0.1.4296 exposes a CGI endpoint /cgi-bin/skk_get.cgi that returns the entire router configuration as a JSON response with no authentication required. Any attacker on the LAN can send a single HTTP GET request and instantly retrieve administrator credentials, WiFi passwords, PPPoE credentials, DDNS credentials, and a full map of all connected devices.
AnalysisAI
Unauthenticated configuration disclosure in the Netis AC1200 Router NC21 (firmware V4.0.1.4296) allows any LAN-connected attacker to retrieve the device's full configuration via a single HTTP GET to /cgi-bin/skk_get.cgi. The dump exposes administrator credentials, WiFi and PPPoE passwords, DDNS credentials, and a map of connected clients, enabling immediate device takeover and lateral movement. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.02%, 6th percentile).
Technical ContextAI
The vulnerable component is a CGI handler in the router's embedded web management interface - a common pattern in SOHO routers where Boa, mini_httpd, or similar lightweight web servers dispatch URLs under /cgi-bin/ to binaries or scripts that emit JSON for the management UI. The root cause is CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor): skk_get.cgi serializes the running configuration and returns it without any authentication or session check, meaning the endpoint trusts that the LAN is a security boundary. No CPE was published with the advisory, so the only confirmed affected target is the model and firmware build named in the description (Netis AC1200 NC21, firmware V4.0.1.4296).
Affected ProductsAI
The disclosure names the Netis AC1200 Router, model NC21, running firmware version V4.0.1.4296. No NVD CPE string was attached to the reference set, so other AC1200 hardware revisions or firmware builds may or may not share the vulnerable skk_get.cgi handler - owners of other Netis AC1200 variants should test the endpoint directly. The only published reference is the researcher's disclosure at https://github.com/sir3ns/cve-disclosure/blob/main/CVE-2026-36539/readme.md; no Netis vendor advisory URL is present in the available data.
RemediationAI
No vendor-released patch identified at time of analysis. Until Netis publishes updated firmware for the AC1200 NC21, the practical compensating controls are: restrict who can reach the router's HTTP management interface by isolating untrusted clients onto a dedicated guest SSID/VLAN that cannot route to the router's management IP (side effect: guests lose access to LAN-side services they may have relied on); confirm the WAN-side management interface is disabled so the endpoint is not internet-reachable; and rotate the admin password, WiFi PSK, PPPoE credentials, and DDNS credentials after any suspected exposure since they should be considered already compromised on any LAN where an untrusted device has been present. Monitor https://github.com/sir3ns/cve-disclosure/blob/main/CVE-2026-36539/readme.md and the Netis support site for a firmware release addressing the missing authentication check on /cgi-bin/skk_get.cgi.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today