CVE-2026-36611

Vulnerability

Mercusys AC12G (EU) V1 with firmware versions AC12G(EU)_V1_200909 and AC12G(EU)_V1_210128 is vulnerable to an uninitialized buffer disclosure. When receiving POST requests without a SOAPAction header on the UPnP port 1900, the device returns 128 bytes of uninitialized buffer data as the response body instead of a proper HTTP error [1].

Exploitation

An unauthenticated attacker on the adjacent network can trigger this vulnerability by sending a POST request to any endpoint on port 1900, such as /ipc, /ifc, /l3f, /igd.xml, or any arbitrary path, without including the required SOAPAction header [1].

Impact

Successful exploitation exposes 128 bytes of internal server memory, which may include fragments of HTTP response templates from previous requests and internal server state. This can lead to a cross-request information leak accessible to any unauthenticated LAN client [1].

Mitigation

This vulnerability is not planned to be fixed as the affected product is end-of-life. Recommended remediation steps include initializing response buffers to zero before use, returning a proper HTTP error response when required headers are missing, and clearing response buffers between requests to prevent cross-request data leakage [1].