Description
Netis AC1200 Router NC21 V4.0.1.4296 is vulnerable to unauthenticated command injection via the /cgi-bin/skk_set.cgi endpoint. The password and new_pwd_confirm POST parameters are passed directly to the underlying OS shell without sanitization. An attacker can inject arbitrary shell commands by wrapping them in backticks (`) and encoding them in base64. Because the endpoint requires no authentication, any device on the LAN can achieve full Remote Code Execution on the router's operating system with a single HTTP POST request.
Published: 2026-05-27
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The password and new_pwd_confirm parameters are passed directly to the OS shell without sanitization. An attacker can embed shell commands in backticks and base64‑encode them, enabling arbitrary command execution when a POST request is sent to the /cgi-bin/skk_set.cgi endpoint. Because the endpoint requires no authentication, any device on the LAN can achieve full Remote Code Execution, compromising the router’s firmware and all assets behind it.

Affected Systems

The vulnerability has been identified in Netis AC1200 Router model NC21 running firmware version V4.0.1.4296. No other models or versions are known to be affected at this time.

Risk and Exploitability

The flaw is unmitigated by authentication or rate limiting, making it highly exploitable within the LAN. No EPSS score is published and the issue is not in CISA’s KEV catalog. Attackers can launch the exploit from any connected device, and once executed, can execute arbitrary shell commands, potentially compromising the router and any devices behind it.

Generated by OpenCVE AI on May 27, 2026 at 19:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the router firmware to the latest secure version if one is available; if a patch has not yet been released, remove the /cgi-bin/skk_set.cgi CGI script or block access to it through the router’s internal firewall.
  • Apply network segmentation to isolate critical devices from the LAN segment that can reach the router, or enforce a strict VLAN policy that limits which devices may initiate HTTP traffic to the router.
  • Monitor the router’s system logs for unusual POST requests to the skk_set.cgi endpoint and set alerts for any unauthorized attempts.
  • If updates or blocking are not immediately possible, place an additional outbound firewall rule that drops all traffic from the LAN to the router’s configuration port regardless of protocol.

Generated by OpenCVE AI on May 27, 2026 at 19:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 19:30:00 +0000

Type Values Removed Values Added
Title Unauthenticated Remote Command Injection via /cgi-bin/skk_set.cgi on Netis AC1200 Router
Weaknesses CWE-78

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description Netis AC1200 Router NC21 V4.0.1.4296 is vulnerable to unauthenticated command injection via the /cgi-bin/skk_set.cgi endpoint. The password and new_pwd_confirm POST parameters are passed directly to the underlying OS shell without sanitization. An attacker can inject arbitrary shell commands by wrapping them in backticks (`) and encoding them in base64. Because the endpoint requires no authentication, any device on the LAN can achieve full Remote Code Execution on the router's operating system with a single HTTP POST request.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-27T13:17:20.373Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36540

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-27T14:16:45.637

Modified: 2026-05-27T20:04:31.980

Link: CVE-2026-36540

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T19:15:26Z

Weaknesses