Description
Netis AC1200 Router NC21 V4.0.1.4296 exposes a CGI endpoint /cgi-bin/skk_get.cgi that returns the entire router configuration as a JSON response with no authentication required. Any attacker on the LAN can send a single HTTP GET request and instantly retrieve administrator credentials, WiFi passwords, PPPoE credentials, DDNS credentials, and a full map of all connected devices.
Published: 2026-05-27
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exposes a public CGI endpoint, /cgi-bin/skk_get.cgi, that returns the entire router configuration as JSON without requiring any authentication. This payload includes administrator credentials, WiFi passwords, PPPoE credentials, DDNS credentials, and a complete mapping of all devices connected to the network. The result is a classic information disclosure flaw (CWE-200) that allows an attacker to obtain highly privileged credentials and detailed network topology.

Affected Systems

Netis AC1200 Router NC21 running firmware version 4.0.1.4296 is affected.

Risk and Exploitability

The exploit is local; any device on the LAN can issue a single HTTP GET request to the endpoint and trigger the disclosure. The CVSS score of 7.3 indicates high severity, but the EPSS score of less than 1% reflects a low probability of exploitation at present. Because the underlying firmware does not address the flaw, the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the potential for credential compromise and lateral movement remains significant.

Generated by OpenCVE AI on May 28, 2026 at 16:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the router firmware to a version that removes or secures the /cgi-bin/skk_get.cgi endpoint.
  • Segregate the router’s management interface from the LAN using VLAN or a separate network segment to prevent local exposure.
  • If an upgrade is unavailable, block or deny access to /cgi-bin/skk_get.cgi via firewall or router ACLs, and immediately change all router and WiFi passwords.

Generated by OpenCVE AI on May 28, 2026 at 16:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Netis
Netis ac1200 Router
Vendors & Products Netis
Netis ac1200 Router

Thu, 28 May 2026 17:15:00 +0000

Type Values Removed Values Added
Title Unauthorized Retrieval of Router Configuration via Unprotected CGI Endpoint

Thu, 28 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 17:15:00 +0000

Type Values Removed Values Added
Title Unauthorized Retrieval of Router Configuration via Unprotected CGI Endpoint
Weaknesses CWE-200

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description Netis AC1200 Router NC21 V4.0.1.4296 exposes a CGI endpoint /cgi-bin/skk_get.cgi that returns the entire router configuration as a JSON response with no authentication required. Any attacker on the LAN can send a single HTTP GET request and instantly retrieve administrator credentials, WiFi passwords, PPPoE credentials, DDNS credentials, and a full map of all connected devices.
References

Subscriptions

Netis Ac1200 Router
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-28T13:36:27.542Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36539

cve-icon Vulnrichment

Updated: 2026-05-28T13:36:22.583Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T14:16:45.527

Modified: 2026-05-28T14:16:19.007

Link: CVE-2026-36539

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T21:22:38Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor