CVE-2026-4840

High

Published: 26 March 2026

Published

26 March 2026

Modified

24 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0025 48.5th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A security flaw has been discovered in Netcore Power 15AX up to 3.0.0.6938. Affected by this issue is the function setTools of the file /bin/netis.cgi of the component Diagnostic Tool Interface. Performing a manipulation of the argument IpAddr results in…

os command injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates OS command injection by validating and sanitizing the IpAddr argument in the setTools function of netis.cgi to prevent malicious command execution.

SI-2 Flaw Remediation good match

prevent

Addresses the specific flaw in Netcore Power 15AX routers by prioritizing timely remediation through patching or mitigation of the command injection vulnerability.

AC-6 Least Privilege good match

prevent

Enforces least privilege to restrict low-privileged remote users from accessing or exploiting the vulnerable Diagnostic Tool Interface, limiting potential damage from command injection.

Security SummaryAI

CVE-2026-4840 is an OS command injection vulnerability in Netcore Power 15AX routers up to version 3.0.0.6938. The issue affects the setTools function in the /bin/netis.cgi file, which is part of the Diagnostic Tool Interface. Manipulating the IpAddr argument triggers the command injection, as classified under CWE-77 and CWE-78, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Remote attackers with low privileges can exploit this vulnerability over the network without user interaction. Successful exploitation enables arbitrary OS command execution, potentially leading to high impacts on confidentiality, integrity, and availability, such as full system compromise on the affected router.

Advisories from VulDB and a public GitHub repository detail the vulnerability and include a proof-of-concept exploit. The vendor was contacted early but provided no response, and no patches or specific mitigations are referenced.

The exploit has been publicly released, increasing the risk of real-world attacks against unpatched Netcore Power 15AX devices.

Details

CWE(s): CWE-77 CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

The vulnerability is a command injection in a web CGI interface (/bin/netis.cgi) on a network-accessible router, enabling remote exploitation of a public-facing application (T1190) to achieve arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/fakervsbln/netcore-power15ax-cve
cna@vuldb.com
https://vuldb.com/?ctiid.353146
cna@vuldb.com
https://vuldb.com/?id.353146
cna@vuldb.com
https://vuldb.com/?submit.776127
cna@vuldb.com