sir3ns

3 exploits Active since May 2026
CVE-2026-36538 WRITEUP HIGH WRITEUP
Netis AC1200 Router NC21 V4.0.1.4296 - Hard-coded Root Credential in /etc/shadow.sample
Netis AC1200 Router NC21 V4.0.1.4296 contains a hard-coded root credential stored in /etc/shadow.sample. The password for the root account is set to the trivially weak value root, allowing an attacker with access to the device to authenticate as root and gain full control of the underlying operating system.
CVSS 7.3
CVE-2026-36539 WRITEUP HIGH WRITEUP
Netis AC1200 Router NC21 V4.0.1.4296 - Unauthenticated Information Disclosure via skk_get.cgi
Netis AC1200 Router NC21 V4.0.1.4296 exposes a CGI endpoint /cgi-bin/skk_get.cgi that returns the entire router configuration as a JSON response with no authentication required. Any attacker on the LAN can send a single HTTP GET request and instantly retrieve administrator credentials, WiFi passwords, PPPoE credentials, DDNS credentials, and a full map of all connected devices.
CVSS 7.3
CVE-2026-36540 WRITEUP HIGH WRITEUP
Netis AC1200 Router NC21 V4.0.1.4296 - Unauthenticated Remote Code Execution via skk_set.cgi POST Parameters
Netis AC1200 Router NC21 V4.0.1.4296 is vulnerable to unauthenticated command injection via the /cgi-bin/skk_set.cgi endpoint. The password and new_pwd_confirm POST parameters are passed directly to the underlying OS shell without sanitization. An attacker can inject arbitrary shell commands by wrapping them in backticks (`) and encoding them in base64. Because the endpoint requires no authentication, any device on the LAN can achieve full Remote Code Execution on the router's operating system with a single HTTP POST request.
CVSS 7.3