Executive Summary

CVE-2026-36540 is a vulnerability in the Netis AC1200 Router NC21 running firmware version V4.0.1.4296 that allows unauthenticated remote code execution.

The flaw exists in the /cgi-bin/skk_set.cgi endpoint, where the password and new_pwd_confirm POST parameters are passed directly to the underlying operating system shell without proper sanitization.

An attacker can exploit this by injecting arbitrary shell commands wrapped in backticks (`) and encoded in base64.

Since the endpoint requires no authentication, any device on the local network can execute commands on the router's operating system with a single HTTP POST request.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker on the local network to achieve full remote code execution on the router's operating system without any authentication.

An attacker can execute arbitrary shell commands, potentially taking full control of the router.

This could lead to unauthorized access, manipulation of network traffic, disruption of network services, or use of the router as a foothold for further attacks within the network.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking for unauthorized HTTP POST requests to the /cgi-bin/skk_set.cgi endpoint on the Netis AC1200 Router NC21 running firmware version V4.0.1.4296. Specifically, look for POST parameters named password and new_pwd_confirm containing base64-encoded payloads wrapped in backticks (`), which indicate attempts to inject shell commands.

A practical detection method is to monitor network traffic for such POST requests originating from devices on the LAN. Additionally, you can attempt to manually test the endpoint by sending a crafted HTTP POST request with a benign command encoded in base64 wrapped in backticks to see if the router executes it.

Example command using curl to test the vulnerability (run from a device on the LAN):

• curl -X POST http://[router_ip]/cgi-bin/skk_set.cgi -d "password=`echo Y2F0IC9ldGMvcGFzc3dk | base64 -d`" -d "new_pwd_confirm=`echo Y2F0IC9ldGMvcGFzc3dk | base64 -d`"

This command attempts to execute 'cat /etc/passwd' on the router by injecting the base64-encoded command. If the router responds or behaves unexpectedly, it indicates the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

Since no patch has been released by the vendor as of the publication date, immediate mitigation steps include:

• Restrict access to the router's management interface by limiting LAN devices that can communicate with the /cgi-bin/skk_set.cgi endpoint.
• Implement network segmentation or firewall rules to block HTTP POST requests to /cgi-bin/skk_set.cgi from unauthorized devices.
• Monitor network traffic for suspicious POST requests targeting the vulnerable endpoint.
• Consider replacing or upgrading the router to a model or firmware version that is not vulnerable.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthenticated remote code execution on the Netis AC1200 Router, which could lead to unauthorized access and control over the device. This poses significant risks to the confidentiality, integrity, and availability of data transmitted through or stored on the router.

Such unauthorized access could result in violations of common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

Because the vulnerability enables attackers on the local network to execute arbitrary commands without authentication, it undermines the security controls necessary to maintain compliance with these regulations.

Useful 0 Not Useful 0