Executive Summary

CVE-2026-36539 is a vulnerability in the Netis AC1200 Router NC21 running firmware version 4.0.1.4296. It involves an unauthenticated information disclosure through the CGI endpoint /cgi-bin/skk_get.cgi. Any attacker on the local network can send a simple HTTP GET request to this endpoint and retrieve the entire router configuration without needing to authenticate.

The exposed configuration data includes sensitive information such as administrator credentials, WiFi passwords, PPPoE credentials, DDNS credentials, and a full map of all connected devices.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts because it allows an attacker on the local network to instantly obtain highly sensitive information from the router without any authentication.

• Exposure of administrator credentials can allow full control over the router.
• WiFi passwords being disclosed can enable unauthorized access to the wireless network.
• PPPoE and DDNS credentials exposure can lead to further network and service compromise.
• The attacker can also see all connected devices, which can be used for further targeted attacks or network reconnaissance.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by sending an unauthenticated HTTP GET request to the router's CGI endpoint /cgi-bin/skk_get.cgi on the local network. If the router responds with a JSON containing the full configuration including administrator credentials, WiFi passwords, and other sensitive data, it is vulnerable.

A simple command to test this would be using curl or wget from a device on the LAN:

• curl http://<router_ip>/cgi-bin/skk_get.cgi
• wget -qO- http://<router_ip>/cgi-bin/skk_get.cgi

If the response contains base64 encoded sensitive information in JSON format without requiring authentication, the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

As no patch or vendor response is available, immediate mitigation steps include:

• Restrict access to the router's management interface to trusted devices only, ideally by isolating the router management network or using VLANs.
• Disable remote management features if enabled to reduce exposure.
• Monitor network traffic for suspicious HTTP GET requests to /cgi-bin/skk_get.cgi and block unauthorized requests using firewall rules.
• Change all administrator and WiFi passwords immediately in case they have been compromised.

Long term, consider replacing the vulnerable device or firmware with a secure alternative once a patch or update is available.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability exposes sensitive information such as administrator credentials, WiFi passwords, PPPoE credentials, DDNS credentials, and a full map of connected devices without any authentication. Such exposure of sensitive data can lead to unauthorized access and data breaches.

Because of this, organizations using the affected Netis AC1200 Router NC21 may face challenges in complying with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and disclosure.

Failure to protect such sensitive configuration data could result in violations of these standards, potentially leading to legal and financial consequences.

Useful 0 Not Useful 0