CVE-2026-36618

Vulnerability

The Mercusys AC12G (EU) V1 router, specifically firmware versions AC12G(EU)_V1_200909 and AC12G(EU)_V1_210128, is vulnerable to information disclosure. The device's DNS resolver, identified as unbound 1.22.0 with the internal hostname "mms-unbound", responds to CHAOS class TXT queries for version.bind and hostname.bind.

Exploitation

An attacker on the local network can send DNS queries to the router, which acts as the default DNS resolver for LAN clients. By querying for version.bind and hostname.bind, the attacker can obtain the exact DNS software version and confirm the device is a Mercusys router.

Impact

Successful exploitation reveals the specific version of the unbound DNS resolver software (1.22.0) and the internal hostname "mms-unbound". This information can assist attackers in researching and targeting known vulnerabilities specific to this version of unbound, and confirms the device's identity.

Mitigation

While a firmware patch is not planned as the product is end-of-life, the unbound DNS resolver can be configured with hide-version: yes and hide-identity: yes to prevent this disclosure. This configuration change is noted in the provided reference [1].