CVE-2026-36538
Description
Netis AC1200 Router NC21 V4.0.1.4296 contains a hard-coded root credential stored in /etc/shadow.sample. The password for the root account is set to the trivially weak value root, allowing an attacker with access to the device to authenticate as root and gain full control of the underlying operating system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Netis AC1200 Router NC21 firmware V4.0.1.4296 has a hard-coded root password 'root' in /etc/shadow.sample, allowing full device compromise.
Vulnerability
Netis AC1200 Router NC21 running firmware version V4.0.1.4296 contains a hard-coded root credential stored in /etc/shadow.sample. The password for the root account is set to the trivially weak value root. This credential is present in the firmware by design and does not require any special configuration to be reachable [1].
Exploitation
An attacker with network access to the router can authenticate as root via SSH using the known password root. The SSH service must be enabled (default state). The attacker does not need prior authentication or user interaction. A proof-of-concept command is provided in the disclosure: ssh -oKexAlgorithms=... root@192.168.1.1 with password root [1].
Impact
Successful authentication as root grants the attacker full, unrestricted control of the underlying Linux operating system on the router. This includes the ability to read or modify all files, install persistent backdoors, intercept or redirect network traffic, and leverage the device as a pivot point within the local network. The confidentiality, integrity, and availability of the device and connected network are completely compromised [1].
Mitigation
The vendor (Netis Systems) was contacted on 24 February 2026 but did not respond. As of the publication date (8 May 2026), no firmware patch or update has been released. The device is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog at this time. Users are advised to isolate the router from untrusted networks, disable remote SSH access if not required, and monitor for future updates from the vendor [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: = V4.0.1.4296
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Hard-coded root credential stored in /etc/shadow.sample with the trivially weak password "root" [ref_id=1]."
Attack vector
An attacker with network access to the Netis AC1200 Router NC21 (firmware V4.0.1.4296) can authenticate as root via SSH using the default password "root" [ref_id=1]. The researcher's proof of concept shows SSH access using legacy algorithms (diffie-hellman-group1-sha1, ssh-rsa, aes128-cbc) to connect to root@192.168.1.1 with password "root" [ref_id=1]. No authentication bypass or additional exploitation is required — the credential is intentionally present in the firmware image at /etc/shadow.sample [ref_id=1].
Affected code
The hard-coded root credential is stored in the file /etc/shadow.sample within the firmware of the Netis AC1200 Router NC21 running V4.0.1.4296 [ref_id=1]. The root account's password hash corresponds to the plaintext value "root" [ref_id=1].
What the fix does
No patch has been released by the vendor (Netis Systems) as of the publication date [ref_id=1]. The vendor was contacted but did not respond [ref_id=1]. The remediation would require the vendor to remove the hard-coded credential from /etc/shadow.sample, enforce unique per-device root passwords during first boot, and provide a firmware update to affected devices [ref_id=1].
Preconditions
- networkAttacker must have network access to the device (e.g., on the same LAN or via the WAN if SSH is exposed)
- configSSH service must be enabled on the router (default configuration)
Reproduction
Step 1 — SSH Access: `ssh -oKexAlgorithms=diffie-hellman-group1-sha1 -oHostKeyAlgorithms=ssh-rsa -oPubkeyAcceptedAlgorithms=ssh-rsa -oCiphers=aes128-cbc -oCompression=no root@192.168.1.1` with default password `root` [ref_id=1].
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.