Executive Summary

CVE-2026-36604 affects the Mercusys AC12G (EU) V1 router with specific firmware versions. The vulnerability arises because the router's HTTP server does not validate the Host header in incoming requests, which allows DNS rebinding attacks.

In this attack, an attacker tricks a victim into visiting a malicious domain that initially resolves to a public IP address. Then, the attacker changes the DNS record to point to the router's internal IP address (such as 192.168.1.1) with a short time-to-live (TTL). Because the router does not validate the Host header and its DNS resolver does not filter private IP addresses, the router accepts requests intended for its internal interface.

Additionally, the router uses a CORS wildcard (Access-Control-Allow-Origin: *), which allows malicious JavaScript loaded from the attacker's domain to read sensitive responses from the router. This vulnerability can be combined with other vulnerabilities to enable complete remote compromise of the router.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an external attacker to remotely compromise the Mercusys AC12G router from any website visited by a user on the local network.

By exploiting the DNS rebinding attack, the attacker can bypass normal network protections and access the router's internal interface, potentially reading sensitive information or manipulating router settings.

When combined with other vulnerabilities (such as brute-force attacks and static authentication nonce issues), it can lead to full remote control over the router, which may result in network disruption, data interception, or further attacks on connected devices.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests to the Mercusys AC12G router for improper Host header validation and by checking DNS responses for private IP addresses returned for external domains.

You can use network traffic analysis tools like tcpdump or Wireshark to capture HTTP requests and inspect the Host headers for anomalies.

• Use tcpdump to capture HTTP traffic to the router's IP (e.g., 192.168.1.1): tcpdump -i <interface> host 192.168.1.1 and port 80
• Inspect captured packets for HTTP requests with unusual or missing Host headers.
• Check DNS responses for external domains resolving to private IP ranges (192.168.x.x, 10.x.x.x, 127.x.x.x) using tools like dig or nslookup.
• Example command to query DNS and check IP: dig example.com +short

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include configuring the router's DNS resolver to block private IP addresses in DNS responses, validating the HTTP Host header on the router, and removing the CORS wildcard header (Access-Control-Allow-Origin: *).

Since the affected Mercusys AC12G router is end-of-life with no planned fixes, consider the following actions:

• Restrict DNS resolver settings to prevent resolving external domains to private IP ranges.
• Implement firewall rules to block suspicious inbound HTTP requests with invalid Host headers.
• Remove or restrict the use of the CORS wildcard header to limit cross-origin resource sharing.
• Avoid visiting untrusted websites from devices connected to the vulnerable router.
• Consider replacing the router with a supported device that receives security updates.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not explicitly address how the vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0