CVE-2026-36540

HIGH

Netis AC1200 Router NC21 V4.0.1.4296 - Unauthenticated Remote Code Execution via skk_set.cgi POST Parameters

Title source: llm

Description

Netis AC1200 Router NC21 V4.0.1.4296 is vulnerable to unauthenticated command injection via the /cgi-bin/skk_set.cgi endpoint. The password and new_pwd_confirm POST parameters are passed directly to the underlying OS shell without sanitization. An attacker can inject arbitrary shell commands by wrapping them in backticks (`) and encoding them in base64. Because the endpoint requires no authentication, any device on the LAN can achieve full Remote Code Execution on the router's operating system with a single HTTP POST request.

References (2)

Core 2

Core References

http://netis-system.com

https://github.com/sir3ns/cve-disclosure/blob/main/CVE-2026-36540/readme.md

View Writeup ZIP pw:eip

Scores

CVSS v3 7.3

EPSS 0.0150

EPSS Percentile 70.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-77

Status published

Published May 27, 2026

Tracked Since May 27, 2026