Description
Netis AC1200 Router NC21 V4.0.1.4296 is vulnerable to unauthenticated command injection via the /cgi-bin/skk_set.cgi endpoint. The password and new_pwd_confirm POST parameters are passed directly to the underlying OS shell without sanitization. An attacker can inject arbitrary shell commands by wrapping them in backticks (`) and encoding them in base64. Because the endpoint requires no authentication, any device on the LAN can achieve full Remote Code Execution on the router's operating system with a single HTTP POST request.
Published: 2026-05-27
Score: 7.3 High
EPSS: 1.5% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The password and new_pwd_confirm parameters are passed directly to the OS shell without sanitization, allowing an attacker to embed shell commands in backticks and encode them in base64. This flaw enables arbitrary command execution when an HTTP POST request reaches the "/cgi-bin/skk_set.cgi" endpoint. The description explicitly notes that the endpoint requires no authentication, which means any device on the LAN can attempt the exploit and achieve full Remote Code Execution on the router’s operating system.

Affected Systems

Netis AC1200 Router model NC21 running firmware version V4.0.1.4296 is affected. No other models or firmware versions are mentioned as having this vulnerability.

Risk and Exploitability

The CVSS score of 7.3 indicates a high severity risk. The EPSS score is reported as less than 1 %, implying that the probability of exploitation is very low in the current threat landscape, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is an unauthenticated HTTP POST request sent from any LAN device to the "/cgi-bin/skk_set.cgi" endpoint; once the command is accepted, the attacker can run arbitrary shell commands, compromising the router’s firmware and potentially any devices connected through it.

Generated by OpenCVE AI on May 28, 2026 at 19:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Contact Netis to obtain a firmware update that fixes the command injection flaw; if no patch is available, eliminate or block the "/cgi-bin/skk_set.cgi" CGI script via the router’s firewall or web access controls.
  • Implement network segmentation to isolate critical devices from the LAN segment that can reach the router, or enforce a strict VLAN policy that limits which devices may initiate HTTP traffic to the router.
  • Configure alerting for unusual POST requests to the skk_set.cgi endpoint and monitor router logs for evidence of attempted exploitation.

Generated by OpenCVE AI on May 28, 2026 at 19:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Netis
Netis ac1200 Router
Vendors & Products Netis
Netis ac1200 Router

Thu, 28 May 2026 18:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated Command Injection via skk_set.cgi in Netis AC1200 Router NC21

Thu, 28 May 2026 17:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated Remote Command Injection via /cgi-bin/skk_set.cgi on Netis AC1200 Router
Weaknesses CWE-78

Thu, 28 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 19:30:00 +0000

Type Values Removed Values Added
Title Unauthenticated Remote Command Injection via /cgi-bin/skk_set.cgi on Netis AC1200 Router
Weaknesses CWE-78

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description Netis AC1200 Router NC21 V4.0.1.4296 is vulnerable to unauthenticated command injection via the /cgi-bin/skk_set.cgi endpoint. The password and new_pwd_confirm POST parameters are passed directly to the underlying OS shell without sanitization. An attacker can inject arbitrary shell commands by wrapping them in backticks (`) and encoding them in base64. Because the endpoint requires no authentication, any device on the LAN can achieve full Remote Code Execution on the router's operating system with a single HTTP POST request.
References

Subscriptions

Netis Ac1200 Router
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-28T13:42:54.895Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36540

cve-icon Vulnrichment

Updated: 2026-05-28T13:42:38.289Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T14:16:45.637

Modified: 2026-05-28T14:16:19.160

Link: CVE-2026-36540

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T21:22:37Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')