CVE-2026-36540
BaseFortify
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| netis | ac1200_router | 4.0.1.4296 |
| netis_systems | ac1200_router | 4.0.1.4296 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-36540 is a vulnerability in the Netis AC1200 Router NC21 running firmware version V4.0.1.4296 that allows unauthenticated remote code execution.
The flaw exists in the /cgi-bin/skk_set.cgi endpoint, where the password and new_pwd_confirm POST parameters are passed directly to the underlying operating system shell without proper sanitization.
An attacker can exploit this by injecting arbitrary shell commands wrapped in backticks (`) and encoded in base64.
Since the endpoint requires no authentication, any device on the local network can execute commands on the router's operating system with a single HTTP POST request.
How can this vulnerability impact me? :
This vulnerability allows an attacker on the local network to achieve full remote code execution on the router's operating system without any authentication.
An attacker can execute arbitrary shell commands, potentially taking full control of the router.
This could lead to unauthorized access, manipulation of network traffic, disruption of network services, or use of the router as a foothold for further attacks within the network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for unauthorized HTTP POST requests to the /cgi-bin/skk_set.cgi endpoint on the Netis AC1200 Router NC21 running firmware version V4.0.1.4296. Specifically, look for POST parameters named password and new_pwd_confirm containing base64-encoded payloads wrapped in backticks (`), which indicate attempts to inject shell commands.
A practical detection method is to monitor network traffic for such POST requests originating from devices on the LAN. Additionally, you can attempt to manually test the endpoint by sending a crafted HTTP POST request with a benign command encoded in base64 wrapped in backticks to see if the router executes it.
Example command using curl to test the vulnerability (run from a device on the LAN):
- curl -X POST http://[router_ip]/cgi-bin/skk_set.cgi -d "password=`echo Y2F0IC9ldGMvcGFzc3dk | base64 -d`" -d "new_pwd_confirm=`echo Y2F0IC9ldGMvcGFzc3dk | base64 -d`"
This command attempts to execute 'cat /etc/passwd' on the router by injecting the base64-encoded command. If the router responds or behaves unexpectedly, it indicates the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
Since no patch has been released by the vendor as of the publication date, immediate mitigation steps include:
- Restrict access to the router's management interface by limiting LAN devices that can communicate with the /cgi-bin/skk_set.cgi endpoint.
- Implement network segmentation or firewall rules to block HTTP POST requests to /cgi-bin/skk_set.cgi from unauthorized devices.
- Monitor network traffic for suspicious POST requests targeting the vulnerable endpoint.
- Consider replacing or upgrading the router to a model or firmware version that is not vulnerable.