Executive Summary

CVE-2026-36605 affects the Mercusys AC12G (EU) V1 router with firmware versions AC12G(EU)_V1_200909 and AC12G(EU)_V1_210128. The vulnerability allows a denial of service (DoS) attack via crafted incomplete HTTP requests.

By opening around 50 concurrent TCP connections with slow or incomplete HTTP headers, an attacker can exhaust the router's fixed connection pool, causing the HTTP server to become permanently unresponsive.

This crash also affects the UPnP service on port 1900, likely due to shared threading or resource pools. The only way to recover is by physically power cycling the router, as the crash persists even after waiting several minutes.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability causes the router's HTTP server and UPnP service to become permanently unresponsive until the device is physically power cycled.

While the data plane, including internet routing and DNS, remains operational, the control plane—specifically the web admin interface and UPnP—becomes inaccessible.

This means you would lose remote management capabilities and UPnP functionality, potentially disrupting device configuration and network services that rely on UPnP.

Exploitation is trivial from a LAN device, requiring only about 50 TCP connections, making it a high-severity risk.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by observing the router's HTTP server behavior when subjected to multiple incomplete HTTP requests. Specifically, if around 50 concurrent TCP connections with slow or incomplete HTTP headers are opened, the HTTP server will become permanently unresponsive, indicating the presence of the vulnerability.

To test this, you can use network tools to open multiple TCP connections to the router's HTTP port and send incomplete HTTP requests. For example, using tools like netcat (nc) or custom scripts to simulate slow HTTP headers can help detect the issue.

• Use netcat to open multiple connections: for i in {1..50}; do nc <router_ip> 80 & done
• Send incomplete HTTP headers slowly to exhaust the connection pool.

If the router's web admin interface and UPnP service on port 1900 become inaccessible and require physical power cycling to recover, this confirms the vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include avoiding exposure of the router's HTTP admin interface to untrusted networks and limiting the number of concurrent connections from LAN devices.

Since the vendor has marked the product as end-of-life with no planned fixes, the following actions are recommended:

• Physically power cycle the router if it becomes unresponsive due to the attack.
• Restrict access to the router's web admin interface to trusted devices only.
• Monitor network traffic for unusual numbers of incomplete HTTP requests targeting the router.
• Consider replacing the affected router model with a supported device that receives security updates.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0