PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-36538 Netis System CVE debrief

CVE-2026-36538 documents a hard-coded root credential vulnerability in the Netis AC1200 Router (model NC21) running firmware version V4.0.1.4296. The root account password is set to the trivial value 'root' and stored in /etc/shadow.sample, enabling any attacker with device access to authenticate as root and obtain full operating system control. This represents a critical authentication bypass weakness where the vendor distributed firmware with a known, weak default credential embedded in a system file. The vulnerability was published to the CVE List on 27 May 2026 and subsequently modified the same day. No CVSS score or severity rating has been assigned by NVD at this time, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. The vendor attribution carries low confidence based on reference domain analysis, with 'Netis System' identified as the candidate vendor.

Vendor
Netis System
Product
Netis AC1200 Router NC21
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Network administrators managing Netis AC1200 NC21 router deployments, security teams responsible for IoT and network infrastructure asset protection, SOHO users with consumer-grade routers, managed service providers with client router fleets, and incident response teams investigating potential router compromise indicators

Technical summary

The Netis AC1200 Router NC21 firmware V4.0.1.4296 ships with a hard-coded root password of 'root' stored in /etc/shadow.sample. This static credential allows any party with network or physical access to the device to authenticate as the root user without credential guessing or brute force. Successful authentication grants complete administrative control over the underlying Linux-based operating system, including ability to modify routing tables, intercept network traffic, install persistent malware, or pivot to connected internal networks. The vulnerability exists because the vendor included a sample shadow file with a known weak password rather than requiring secure initial configuration or generating unique credentials per device.

Defensive priority

critical

Recommended defensive actions

  • Immediately audit all Netis AC1200 NC21 routers for firmware version V4.0.1.4296 and isolate affected devices from untrusted networks until remediation
  • Change the root password on all affected devices to a cryptographically strong, unique credential not derived from the factory default
  • Review /etc/shadow.sample and related system files on Netis router firmware for additional hard-coded credentials or backdoor accounts
  • Implement network segmentation to restrict administrative access to router management interfaces from authorized management hosts only
  • Monitor authentication logs for unauthorized root access attempts or successful logins using default credentials
  • Contact Netis System technical support to obtain patched firmware that removes hard-coded credentials and enforces strong password policies upon initial setup
  • If vendor patch is unavailable, consider replacing affected router hardware with enterprise-grade alternatives that support secure credential management
  • Document all router firmware versions and credential configurations in asset inventory for future vulnerability response

Evidence notes

The vulnerability description is sourced from the official CVE record and NVD entry. The hard-coded credential location (/etc/shadow.sample) and password value ('root') are explicitly stated in the CVE description. Vendor attribution is marked as low confidence with review needed, based on reference domain candidate analysis identifying 'Netis System'. No CVSS vector, weaknesses, or CPE criteria are present in the source data.

Official resources

2026-05-27