CVE-2026-36603

Vulnerability

The Mercusys AC12G (EU) V1 router, specifically firmware versions AC12G(EU)_V1_200909 and AC12G(EU)_V1_210128, exposes 15 of 18 UPnP IGD SOAP actions without authentication on port 1900. UPnP is enabled by default and cannot be disabled via the admin interface.

Exploitation

Any unauthenticated device on the local area network (LAN) can interact with the UPnP IGD service. An attacker can leverage this by sending unauthenticated requests to port 1900 to execute actions such as AddPortMapping, DeletePortMapping, ForceTermination, and GetExternalIPAddress.

Impact

Successful exploitation allows any LAN device to create arbitrary port forwarding rules, potentially exposing internal services to the WAN. Attackers can also disconnect the WAN connection, access sensitive network information like the WAN IP address, and monitor traffic statistics. This vulnerability is a prerequisite for other related attacks [1].

Mitigation

According to the provided reference, the affected products are end-of-life, and no fix is planned. There are no workarounds mentioned in the available references. The product is not listed as part of the CISA KEV catalog [1].