CVE-2026-36540
Published: 27 May 2026
Summary
CVE-2026-36540 is a high-severity Command Injection (CWE-77) vulnerability in Netis System (inferred from references). Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 29.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Netis AC1200 Router NC21 V4.0.1.4296 contains an unauthenticated command injection vulnerability in the /cgi-bin/skk_set.cgi endpoint. The password and new_pwd_confirm POST parameters are passed directly to the underlying operating system shell without sanitization, allowing arbitrary commands to be supplied via backtick wrapping and base64 encoding. The flaw is tracked as CWE-77 and carries a CVSS 3.1 score of 7.3.
Any device on the LAN can exploit the issue with a single unauthenticated HTTP POST request, resulting in full remote code execution on the router. The EPSS score remains flat at 0.0127 with no material increase after disclosure. Public references consist of the vendor site and a GitHub disclosure repository, but contain no details on patches or mitigation steps.
EU & UK References
No EU or UK CSIRT advisories indexed for this CVE.
Vulnerability details
Netis AC1200 Router NC21 V4.0.1.4296 is vulnerable to unauthenticated command injection via the /cgi-bin/skk_set.cgi endpoint. The password and new_pwd_confirm POST parameters are passed directly to the underlying OS shell without sanitization. An attacker can inject arbitrary shell commands by wrapping…
more
them in backticks (`) and encoding them in base64. Because the endpoint requires no authentication, any device on the LAN can achieve full Remote Code Execution on the router's operating system with a single HTTP POST request.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated command injection in web CGI endpoint directly enables remote OS command execution (T1190) via Unix shell (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.