Cyber Resilience

CVE-2026-4840

HighRCE

Published: 26 March 2026

Published
26 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v4 7.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0826 94.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-4840 is a high-severity Command Injection (CWE-77) vulnerability. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-4840 is an OS command injection vulnerability in Netcore Power 15AX routers up to version 3.0.0.6938. The issue affects the setTools function in the /bin/netis.cgi file, which is part of the Diagnostic Tool Interface. Manipulating the IpAddr argument triggers the command injection, as classified under CWE-77 and CWE-78, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Remote attackers with low privileges can exploit this vulnerability over the network without user interaction. Successful exploitation enables arbitrary OS command execution, potentially leading to high impacts on confidentiality, integrity, and availability, such as full system compromise on the affected router.

Advisories from VulDB and a public GitHub repository detail the vulnerability and include a proof-of-concept exploit. The vendor was contacted early but provided no response, and no patches or specific mitigations are referenced.

The exploit has been publicly released, increasing the risk of real-world attacks against unpatched Netcore Power 15AX devices.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A security flaw has been discovered in Netcore Power 15AX up to 3.0.0.6938. Affected by this issue is the function setTools of the file /bin/netis.cgi of the component Diagnostic Tool Interface. Performing a manipulation of the argument IpAddr results in…

more

os command injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

The vulnerability is a command injection in a web CGI interface (/bin/netis.cgi) on a network-accessible router, enabling remote exploitation of a public-facing application (T1190) to achieve arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-7204Shared CWE-77, CWE-78
CVE-2026-2152Shared CWE-77, CWE-78
CVE-2026-5677Shared CWE-77, CWE-78
CVE-2026-2157Shared CWE-77, CWE-78
CVE-2026-7136Shared CWE-77, CWE-78
CVE-2026-7121Shared CWE-77, CWE-78
CVE-2026-9387Shared CWE-77, CWE-78
CVE-2026-9477Shared CWE-77, CWE-78
CVE-2026-2063Shared CWE-77, CWE-78
CVE-2026-2847Shared CWE-77, CWE-78

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates OS command injection by validating and sanitizing the IpAddr argument in the setTools function of netis.cgi to prevent malicious command execution.

prevent

Addresses the specific flaw in Netcore Power 15AX routers by prioritizing timely remediation through patching or mitigation of the command injection vulnerability.

prevent

Enforces least privilege to restrict low-privileged remote users from accessing or exploiting the vulnerable Diagnostic Tool Interface, limiting potential damage from command injection.

References