Description
A security flaw has been discovered in Netcore Power 15AX up to 3.0.0.6938. Affected by this issue is the function setTools of the file /bin/netis.cgi of the component Diagnostic Tool Interface. Performing a manipulation of the argument IpAddr results in os command injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-26
Score: 8.7 High
EPSS: 8.3% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw exists in the setTools function of /bin/netis.cgi on Netcore Power 15AX devices. An attacker can manipulate the IpAddr operating‑system commands, enabling remote command execution. This weakness aligns with OS Command Injection (CWE‑77) and Improper Neutralization of Special Elements used in an OS Command (CWE‑78).

Affected Systems

Firmware versions of Netcore Power 15AX up to and including 3.0.0.6938 are affected. Any device running these images is susceptible, particularly when the Diagnostic Tool Interface is reachable over the network.

Risk and Exploitability

The CVSS score of 8.7 reflects high severity, while the EPSS score of 8% reflects a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Remote attackers can target the exposed /bin/netis.cgi endpoint over the network to achieve full control of the device.

Generated by OpenCVE AI on June 24, 2026 at 13:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Acquire and install the latest firmware version that resolves the command injection flaw; contact the vendor if no patch is available.
  • Configure network or firewall rules to block external access to the /bin/netis.cgi diagnostic tool interface; limit exposure to trusted internal networks.
  • If the Diagnostic Tool is not essential for operations, disable or uninstall the component to eliminate the attack surface.

Generated by OpenCVE AI on June 24, 2026 at 13:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Netcore
Netcore power 15ax
Vendors & Products Netcore
Netcore power 15ax

Thu, 26 Mar 2026 04:30:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in Netcore Power 15AX up to 3.0.0.6938. Affected by this issue is the function setTools of the file /bin/netis.cgi of the component Diagnostic Tool Interface. Performing a manipulation of the argument IpAddr results in os command injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title Netcore Power 15AX Diagnostic Tool netis.cgi setTools os command injection
Weaknesses CWE-77
CWE-78
References
Metrics cvssV2_0

{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Netcore Power 15ax
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-30T14:56:13.210Z

Reserved: 2026-03-25T14:39:11.689Z

Link: CVE-2026-4840

cve-icon Vulnrichment

Updated: 2026-03-30T12:58:04.921Z

cve-icon NVD

Status : Deferred

Published: 2026-03-26T05:16:40.840

Modified: 2026-06-17T10:57:19.467

Link: CVE-2026-4840

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T13:30:06Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')

  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')