PatchSiren cyber security CVE debrief

CVE-2026-36539 Netis CVE debrief

A critical authentication bypass vulnerability in the Netis AC1200 Router (NC21) allows unauthenticated LAN attackers to retrieve the complete device configuration, including administrative credentials, WiFi passwords, PPPoE credentials, DDNS credentials, and a full enumeration of connected devices. The vulnerability resides in the `/cgi-bin/skk_get.cgi` endpoint, which returns the entire router configuration as JSON without requiring authentication. This represents a severe exposure of sensitive credentials and network topology information to any attacker with local network access. The CVE was published on 2026-05-27 and subsequently modified later that same day. The vulnerability status is currently marked as 'Deferred' in the NVD. No CVSS score or severity rating has been assigned in the official record. The disclosure includes a reference to a GitHub repository containing additional technical details.

Vendor: Netis
Product: AC1200 Router NC21
CVSS: Unknown
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-27
Original CVE updated: 2026-05-27
Advisory published: 2026-05-27
Advisory updated: 2026-05-27

Who should care

Network administrators managing Netis AC1200 NC21 deployments; security teams responsible for SOHO/consumer router security; incident responders investigating credential compromise on small office networks; CISOs evaluating supply chain risk from consumer networking equipment

Technical summary

The Netis AC1200 Router NC21 running firmware V4.0.1.4296 contains an unauthenticated information disclosure vulnerability in the `/cgi-bin/skk_get.cgi` CGI endpoint. This endpoint returns the complete router configuration as a JSON response without requiring authentication. An attacker with LAN access can issue a single HTTP GET request to this endpoint and obtain: administrator credentials, WiFi passwords, PPPoE credentials, DDNS credentials, and a complete enumeration of all connected devices. The vulnerability requires no authentication and no user interaction, presenting a critical risk for credential compromise and network reconnaissance. The attack vector is network-adjacent (LAN), with low attack complexity and high impact on confidentiality. No integrity or availability impact is described in the disclosure.

Defensive priority

critical

Recommended defensive actions

Immediately restrict network access to the router's web management interface to trusted administrative hosts only; consider disabling remote management entirely
Segment IoT and guest networks from administrative LAN segments to limit exposure of the router's management interface
Monitor for unauthorized HTTP GET requests to `/cgi-bin/skk_get.cgi` in network logs as potential reconnaissance activity
Apply firmware updates from Netis when available; contact vendor support for patch timeline if no update is published
Rotate all credentials stored on affected routers including administrative passwords, WiFi PSKs, PPPoE credentials, and DDNS credentials after securing the device
Conduct network forensics to identify if unauthorized configuration retrieval has occurred, reviewing logs for access to the vulnerable endpoint
Replace affected hardware if vendor patches are not forthcoming, selecting routers with robust authentication requirements for configuration access

Evidence notes

Vulnerability description sourced from official CVE record and NVD entry. Vendor attribution to 'Netis' for AC1200 Router NC21 is present in the CVE description, though the vendor field in source data is marked as 'Unknown Vendor' with review needed. The `/cgi-bin/skk_get.cgi` endpoint and unauthenticated configuration disclosure are explicitly documented in the CVE description. NVD status is 'Deferred' as of the modified timestamp.

Official resources

2026-05-27