CVE-2026-36602

Vulnerability

The Mercusys AC12G (EU) V1 router, specifically firmware versions AC12G(EU)_V1_200909 and AC12G(EU)_V1_210128, is vulnerable to kernel memory disclosure. The UPnP GetStatusInfo action on the WANIPConnection service, accessible via /ipc on port 1900, incorrectly returns a raw MIPS KSEG0 kernel memory address instead of the expected connection status string [1].

Exploitation

An unauthenticated attacker on the adjacent network can send a crafted UPnP request to the GetStatusInfo action. The router will respond with a raw kernel virtual address within the NewConnectionStatus field, effectively bypassing authentication as UPnP is typically accessible on the LAN without credentials [1].

Impact

Successful exploitation allows an attacker to obtain a raw MIPS KSEG0 kernel pointer. Since VxWorks, the operating system used, lacks ASLR, this leak provides a reliable map of the kernel's memory layout. This information significantly aids in the development of further exploits, potentially leading to code execution, especially given the absence of stack canaries and NX bit protection on VxWorks [1].

Mitigation

This vulnerability affects end-of-life products, and no fix is planned. The available references suggest that the pointer should be dereferenced before string formatting and that the printf format specifier should be corrected. However, no patched firmware version or workaround has been disclosed [1].