Which versions of Power 15Ax are affected by CVE-2026-4840?

Netcore Power 15AX routers contain a critical remote command execution vulnerability affecting authenticated users, with public exploit code now available.

Is there a public PoC exploit available for CVE-2026-4840?

Yes, a public proof-of-concept exploit is available for CVE-2026-4840. Prioritise patching immediately. EPSS: 0.2%.

How to fix or mitigate CVE-2026-4840?

Within 24 hours: Identify and inventory all Netcore Power 15AX routers in production (firmware ≤3.0.0.6938) and restrict network access to the /bin/netis.cgi endpoint. Within 7 days: Implement WAF rules to block suspicious IpAddr parameters and disable the Diagnostic Tool Interface if operationally feasible. Within 30 days: Contact Netcore for security updates, evaluate device replacement timelines, or migrate critical functions to alternative networking equipment pending vendor patch availability.

Power 15Ax CVE-2026-4840

Q: What is the CVSS score of CVE-2026-4840?

CVE-2026-4840 has a CVSS 4.0 base score of 7.4 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.2%.

EUVD-2026-16108 HIGH

OS Command Injection (CWE-78)

2026-03-26 VulDB

Command Injection Power 15Ax

7.4

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

7.4 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Re-analysis Queued

Apr 24, 2026 - 16:37 vuln.today

cvss_changed

PoC Detected

Mar 30, 2026 - 13:26 vuln.today

Public exploit code

EUVD ID Assigned

Mar 26, 2026 - 04:30 euvd

EUVD-2026-16108

Analysis Generated

Mar 26, 2026 - 04:30 vuln.today

CVE Published

Mar 26, 2026 - 04:05 nvd

HIGH 7.4

DescriptionCVE.org

A security flaw has been discovered in Netcore Power 15AX up to 3.0.0.6938. Affected by this issue is the function setTools of the file /bin/netis.cgi of the component Diagnostic Tool Interface. Performing a manipulation of the argument IpAddr results in os command injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

A critical OS command injection vulnerability exists in the Diagnostic Tool Interface of Netcore Power 15AX routers up to firmware version 3.0.0.6938. An authenticated attacker with low-level privileges can remotely execute arbitrary operating system commands by manipulating the IpAddr parameter in the setTools function of /bin/netis.cgi. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate to Netcore Power device

Exploit

Send crafted request to /bin/netis.cgi

Execution

Inject OS command via IpAddr parameter

Impact

Execute arbitrary system commands with device privileges