Netis AC1200 Router CVE-2026-36540
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from Vendor (mitre) · only source for this CVE.
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
Netis AC1200 Router NC21 V4.0.1.4296 is vulnerable to unauthenticated command injection via the /cgi-bin/skk_set.cgi endpoint. The password and new_pwd_confirm POST parameters are passed directly to the underlying OS shell without sanitization. An attacker can inject arbitrary shell commands by wrapping them in backticks (`) and encoding them in base64. Because the endpoint requires no authentication, any device on the LAN can achieve full Remote Code Execution on the router's operating system with a single HTTP POST request.
AnalysisAI
Unauthenticated remote command injection in the Netis AC1200 Router (model NC21, firmware V4.0.1.4296) allows any LAN-resident attacker to execute arbitrary OS commands as the router's runtime user via a single HTTP POST to /cgi-bin/skk_set.cgi. The password and new_pwd_confirm parameters are concatenated into a shell invocation without sanitization, and exploitation requires no credentials. No public exploit is identified at time of analysis, though the disclosure repository documents the technique (base64-encoded backtick payloads), and EPSS scoring (0.21%) suggests limited broad exploitation pressure despite the trivial attack complexity.
Technical ContextAI
The affected component is the skk_set.cgi handler in the web management interface of Netis NC21 firmware V4.0.1.4296, a SOHO Wi-Fi router platform. The root cause is CWE-77 (Improper Neutralization of Special Elements used in a Command) - user-controlled POST fields are interpolated into an OS shell command, so backtick-wrapped payloads are evaluated by the shell as command substitution. The disclosure notes a base64 encoding step, which typically indicates the CGI script decodes the parameter server-side before passing it to system()/popen()-style execution, allowing the attacker to bypass any naive character filtering on the raw HTTP body. No CPE entries are published in the provided NVD data, so affected SKUs beyond the explicitly named NC21 build cannot be enumerated from structured sources.
Affected ProductsAI
Netis AC1200 Router, model NC21, firmware version V4.0.1.4296 is the only build explicitly confirmed vulnerable per the CVE description; other AC1200 hardware revisions or firmware versions are not enumerated in the available data (no CPE published). The vendor reference is the Netis system site at http://netis-system.com, and the discloser's writeup is hosted at https://github.com/sir3ns/cve-disclosure/blob/main/CVE-2026-36540/readme.md.
RemediationAI
No vendor-released patch identified at time of analysis - neither the NVD references nor the discloser's repository cite a fixed firmware build. Operators should check the Netis support portal (http://netis-system.com) for an updated NC21 firmware superseding V4.0.1.4296 and apply it once available. As compensating controls until a patch ships, disable remote (WAN-side) management of the web UI if enabled (side effect: lose remote administration), segment the router's management interface onto a dedicated VLAN or management SSID so untrusted LAN clients and guest networks cannot reach /cgi-bin/skk_set.cgi (side effect: requires re-architecting admin access), and consider an ACL or firewall rule blocking POST requests to /cgi-bin/skk_set.cgi from non-administrative subnets (side effect: legitimate password-change flows from those subnets will also fail). For high-risk deployments, replacing the device is the most durable mitigation given vendor patch cadence is unknown.
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today