Executive Summary

CVE-2026-36603 affects the Mercusys AC12G (EU) V1 router with firmware versions AC12G(EU)_V1_200909 and AC12G(EU)_V1_210128. The vulnerability is due to an unauthenticated UPnP IGD (Internet Gateway Device) implementation on port 1900, which exposes 15 out of 18 SOAP actions without requiring any authentication.

This includes critical functions such as AddPortMapping and GetExternalIPAddress, allowing any device on the local network to manipulate port forwarding rules, terminate the WAN connection, or access sensitive network information like the WAN IP address and traffic statistics.

UPnP is enabled by default and cannot be disabled through the admin interface, and there is no per-action authentication, making the device vulnerable to unauthorized access and control from any unauthenticated LAN device.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows any unauthenticated device on the local network to create arbitrary port forwarding rules, which can expose internal network services to the internet without authorization.

An attacker could also terminate the WAN connection or access sensitive WAN traffic statistics and the external IP address, potentially disrupting network availability and compromising network privacy.

Because UPnP cannot be disabled and there is no authentication, the risk of unauthorized network manipulation and information disclosure is high.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by scanning the local network for devices exposing UPnP IGD services on port 1900 without authentication.

You can use network scanning tools or commands to check for open UPnP services and test if critical SOAP actions like AddPortMapping and GetExternalIPAddress are accessible without authentication.

• Use nmap to scan for UPnP services on port 1900: nmap -sU -p 1900 --script=upnp-info <target_ip>
• Use a UPnP client tool or script to send SOAP requests for actions such as AddPortMapping or GetExternalIPAddress to verify if they respond without authentication.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable router's LAN interface to trusted devices only, since UPnP is enabled by default and cannot be disabled via the admin interface.

Other recommended actions are to implement network-level controls such as firewall rules to block or limit UPnP traffic on port 1900, and monitor for unauthorized port forwarding rules.

Long-term mitigations suggested include implementing UPnP authentication, providing an option to disable UPnP, restricting AddPortMapping requests to the originating client's IP, and rate-limiting UPnP operations, though these require firmware updates which are not planned for this end-of-life device.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in the Mercusys AC12G (EU) V1 router allows unauthenticated local devices to manipulate port forwarding rules and access WAN traffic statistics, potentially exposing sensitive network information.

Such unauthorized access and control over network traffic could lead to violations of common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data and mandate secure network configurations to prevent unauthorized access.

Because UPnP is enabled by default with no option to disable it and no authentication, this vulnerability increases the risk of data exposure and unauthorized network access, thereby negatively impacting compliance with these regulations.

Useful 0 Not Useful 0