CVE-2026-36540 Netis CVE debrief

Who should care

Network administrators managing Netis AC1200 deployments, SOHO users with consumer-grade routers, security teams responsible for edge device hardening, and incident responders investigating router compromises.

Technical summary

The vulnerability exists in the /cgi-bin/skk_set.cgi endpoint of Netis AC1200 Router firmware NC21 V4.0.1.4296. The password and new_pwd_confirm parameters are passed unsanitized to the OS shell, enabling command injection through backtick-wrapped commands encoded in base64. No authentication is required to reach this endpoint, reducing the attack barrier to LAN network access only. Successful exploitation grants operating system-level code execution on the router.

Defensive priority

critical

Recommended defensive actions

• Immediately isolate affected Netis AC1200 routers from untrusted LAN segments and restrict administrative interface access to dedicated management VLANs only.
• Block outbound connections from router management interfaces to prevent callback channels from injected commands.
• Apply firmware updates from Netis when available; consider replacement if vendor support has ended.
• Monitor for anomalous HTTP POST requests to /cgi-bin/skk_set.cgi containing backtick characters or base64-encoded strings in password fields.
• Review router logs for unexpected shell command execution or unauthorized configuration changes.

Evidence notes

CVE published 2026-05-27T14:16:45.637Z; modified 2026-05-27T20:04:31.980Z. NVD status: Deferred. Vendor attribution based on reference domain candidate 'Netis System' with low confidence requiring review. Disclosure documentation available via researcher GitHub repository.

Official resources