CVE-2026-36604

Vulnerability

Mercusys AC12G (EU) V1 routers, specifically firmware versions AC12G(EU)_V1_200909 and AC12G(EU)_V1_210128, contain an HTTP server that does not validate the Host header. This, combined with a DNS resolver that does not filter private IP addresses, enables DNS rebinding attacks [1].

Exploitation

An external attacker can exploit this vulnerability by hosting a malicious website. The attacker's DNS server is configured with a short TTL, initially resolving a domain to the attacker's public IP. When a victim visits the site, malicious JavaScript loads. The attacker then updates the DNS record to point the domain to the router's internal IP address (e.g., 192.168.1.1). Subsequent requests from the JavaScript are sent to the router, which accepts them due to the lack of Host header validation [1].

Impact

Successful exploitation allows an attacker's JavaScript, running in the victim's browser, to access the router's LAN-only administrative interface from the internet. This is possible because the router sets Access-Control-Allow-Origin: * on all HTTP responses, enabling the JavaScript to read the full response content. When chained with other vulnerabilities, this can lead to complete remote router compromise [1].

Mitigation

No specific patched firmware version or release date is disclosed in the available references. Users are advised to check for firmware updates from Mercusys. The router is listed as Medium severity with a CVSS score of 6.5 [1].