CVE-2026-36539
Description
Netis AC1200 Router NC21 V4.0.1.4296 exposes a CGI endpoint /cgi-bin/skk_get.cgi that returns the entire router configuration as a JSON response with no authentication required. Any attacker on the LAN can send a single HTTP GET request and instantly retrieve administrator credentials, WiFi passwords, PPPoE credentials, DDNS credentials, and a full map of all connected devices.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Netis AC1200 Router NC21 firmware V4.0.1.4296 exposes all router secrets via /cgi-bin/skk_get.cgi without authentication.
Vulnerability
The Netis AC1200 Router NC21 running firmware version V4.0.1.4296 exposes a CGI endpoint /cgi-bin/skk_get.cgi that returns the entire router configuration as a JSON response with no authentication required [1]. The response includes administrator credentials, WiFi passwords, PPPoE credentials, DDNS credentials, and a full map of all connected devices, all encoded in base64—which is trivially reversible [1]. No authentication token or header is needed to access this endpoint [1].
Exploitation
An attacker with LAN access (i.e., connected to the same network as the router) can send a single HTTP GET request to http:///cgi-bin/skk_get.cgi—for example, via a simple curl command or by navigating to the URL in a browser [1]. No prior knowledge, authentication, or user interaction is required [1]. The response is a JSON object; the attacker then decodes the base64-encoded values (e.g., using base64 -d on Linux) to retrieve plaintext secrets [1].
Impact
Successful exploitation results in full disclosure of the router's configuration, including the administrative password for the router's web interface, Wi-Fi pre-shared keys, PPPoE (ISP) credentials, DDNS account credentials, and a list of all LAN client IPs, MAC addresses, and hostnames [1]. An attacker can use the administrative credentials to take complete control of the router, change settings, or pivot deeper into the network, and can use the Wi-Fi and ISP credentials for unauthorized access or service abuse [1]. The confidentiality of all sensitive data managed by the device is completely compromised [1].
Mitigation
As of the publication date (2026-05-27), the vendor (Netis Systems) has not responded to disclosure attempts and no patch or firmware update has been released [1]. The device is likely end-of-life or unsupported [1]. Users should isolate the router from untrusted LAN clients by placing it behind a firewall or VLAN, or consider replacing the device with a supported alternative that receives security updates [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: = V4.0.1.4296
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing authentication check on CGI endpoint /cgi-bin/skk_get.cgi allows unauthenticated access to the full router configuration."
Attack vector
An attacker on the same LAN as the affected Netis AC1200 Router NC21 (firmware V4.0.1.4296) sends a single HTTP GET request to http://<router-ip>/cgi-bin/skk_get.cgi [ref_id=1]. No authentication, token, or special headers are required. The endpoint returns the entire router configuration as a JSON response with sensitive values encoded in base64, which is trivially reversible [ref_id=1]. The attacker can instantly retrieve administrator credentials, WiFi passwords (WPA PSK), PPPoE credentials, DDNS credentials, and a full list of all connected devices including IP and MAC addresses [ref_id=1].
Affected code
The vulnerable endpoint is /cgi-bin/skk_get.cgi on the Netis AC1200 Router NC21 running firmware version V4.0.1.4296 [ref_id=1]. The CGI script returns the full router configuration as a JSON response without performing any authentication check [ref_id=1].
What the fix does
No patch has been released by the vendor (Netis Systems) as of the publication date [ref_id=1]. The researcher contacted the vendor but received no response [ref_id=1]. A proper fix would require implementing authentication enforcement on the /cgi-bin/skk_get.cgi endpoint so that only authenticated administrative users can access the router configuration, and ideally removing the exposure of secrets such as PPPoE and WiFi passwords from any unauthenticated interface.
Preconditions
- networkAttacker must be on the same LAN as the router (e.g., connected to the WiFi or wired network).
- inputNo authentication, token, or special headers required — a simple HTTP GET request suffices.
Reproduction
Step 1 — Send the request: `curl -s http://192.168.1.1/cgi-bin/skk_get.cgi` or navigate to that URL in a browser [ref_id=1]. Step 2 — Observe the full JSON dump containing all router configuration values encoded in base64 [ref_id=1]. Step 3 — Decode base64 values: `echo "AAAAA" | base64 -d` (admin password), `echo "CCCCC" | base64 -d` (PPPoE password), `echo "EEEEE" | base64 -d` (WiFi password) [ref_id=1].
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.