CVE-2026-36608

Vulnerability

The Mercusys AC12G (EU) V1 router, specifically firmware versions AC12G(EU)_V1_200909 and AC12G(EU)_V1_210128, contains a vulnerability in its UPnP IGD AddPortMapping action. The InternalClient parameter does not validate that the provided IP address differs from the router's own LAN IP (e.g., 192.168.1.1) or localhost (127.0.0.1). This allows the creation of port forwarding rules that point to the router's internal administrative interface [1].

Exploitation

An unauthenticated attacker on the local area network can exploit this vulnerability by sending a single SOAP request to the router's UPnP service. The attacker crafts an AddPortMapping request, specifying the router's LAN IP or localhost as the InternalClient and a desired external port. Subsequently, the attacker can use GetExternalIPAddress to discover the router's public IP address. This sequence exposes the router's administrative panel to the internet on the chosen external port [1].

Impact

Successful exploitation allows an attacker to expose the router's administrative panel to the internet. This can lead to unauthorized access and potential takeover of the router, especially when combined with other vulnerabilities such as the lack of rate limiting on authentication attempts. The attacker gains significant control over the device and potentially the network it manages [1].

Mitigation

This vulnerability affects end-of-life products, and no fix is planned by the vendor. Users are advised to replace the affected router with a model that receives ongoing security updates. There are no workarounds available to mitigate this specific vulnerability on the affected devices [1].