CVE-2026-4840

HIGH

Netcore Power 15AX Diagnostic Tool netis.cgi setTools os command injection

Title source: cna

Description

A security flaw has been discovered in Netcore Power 15AX up to 3.0.0.6938. Affected by this issue is the function setTools of the file /bin/netis.cgi of the component Diagnostic Tool Interface. Performing a manipulation of the argument IpAddr results in os command injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

References (4)

Core 4

Core References

Vdb Entry, Technical Description vdb-entry technical-description

VDB-353146 | Netcore Power 15AX Diagnostic Tool netis.cgi setTools os command injection

https://vuldb.com/?id.353146

Signature, Permissions Required signature permissions-required

VDB-353146 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/?ctiid.353146

Third Party Advisory third-party-advisory

Submit #776127 | Netcore POWER15AX V3.0.0.6938 Command Injection

https://vuldb.com/?submit.776127

Exploit exploit

https://github.com/fakervsbln/netcore-power15ax-cve

View Exploit ZIP pw:eip

Scores

CVSS v3 8.8

EPSS 0.0171

EPSS Percentile 74.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-77 CWE-78

Status published

Products (1)

Netcore/Power 15AX 3.0.0.6938

Published Mar 26, 2026

Tracked Since Mar 26, 2026