Cyber Resilience

CVE-2026-36540

High

Published: 27 May 2026

Published
27 May 2026
Modified
28 May 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0150 70.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-36540 is a high-severity Command Injection (CWE-77) vulnerability in Netis System (inferred from references). Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 29.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Netis AC1200 Router NC21 V4.0.1.4296 contains an unauthenticated command injection vulnerability in the /cgi-bin/skk_set.cgi endpoint. The password and new_pwd_confirm POST parameters are passed directly to the underlying operating system shell without sanitization, allowing arbitrary commands to be supplied via backtick wrapping and base64 encoding. The flaw is tracked as CWE-77 and carries a CVSS 3.1 score of 7.3.

Any device on the LAN can exploit the issue with a single unauthenticated HTTP POST request, resulting in full remote code execution on the router. The EPSS score remains flat at 0.0127 with no material increase after disclosure. Public references consist of the vendor site and a GitHub disclosure repository, but contain no details on patches or mitigation steps.

EU & UK References

No EU or UK CSIRT advisories indexed for this CVE.

Vulnerability details

Netis AC1200 Router NC21 V4.0.1.4296 is vulnerable to unauthenticated command injection via the /cgi-bin/skk_set.cgi endpoint. The password and new_pwd_confirm POST parameters are passed directly to the underlying OS shell without sanitization. An attacker can inject arbitrary shell commands by wrapping…

more

them in backticks (`) and encoding them in base64. Because the endpoint requires no authentication, any device on the LAN can achieve full Remote Code Execution on the router's operating system with a single HTTP POST request.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Unauthenticated command injection in web CGI endpoint directly enables remote OS command execution (T1190) via Unix shell (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-50722Shared CWE-77
CVE-2025-52053Shared CWE-77
CVE-2024-43028Shared CWE-77
CVE-2024-54007Shared CWE-77
CVE-2025-23239Shared CWE-77
CVE-2025-22912Shared CWE-77
CVE-2025-23094Shared CWE-77
CVE-2026-26792Shared CWE-77
CVE-2026-36983Shared CWE-77
CVE-2026-31059Shared CWE-77

Affected Assets

Netis System
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References