CVE-2026-36605
HTTP Denial of Service in Mercusys AC12G (EU) V1 Router
Publication date: 2026-06-03
Last updated on: 2026-06-03
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mercusys | ac12g | ac12g(eu)_v1_200909 |
| mercusys | ac12g | ac12g(eu)_v1_210128 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-36605 affects the Mercusys AC12G (EU) V1 router with firmware versions AC12G(EU)_V1_200909 and AC12G(EU)_V1_210128. The vulnerability allows a denial of service (DoS) attack via crafted incomplete HTTP requests.
By opening around 50 concurrent TCP connections with slow or incomplete HTTP headers, an attacker can exhaust the router's fixed connection pool, causing the HTTP server to become permanently unresponsive.
This crash also affects the UPnP service on port 1900, likely due to shared threading or resource pools. The only way to recover is by physically power cycling the router, as the crash persists even after waiting several minutes.
How can this vulnerability impact me? :
The vulnerability causes the router's HTTP server and UPnP service to become permanently unresponsive until the device is physically power cycled.
While the data plane, including internet routing and DNS, remains operational, the control planeβspecifically the web admin interface and UPnPβbecomes inaccessible.
This means you would lose remote management capabilities and UPnP functionality, potentially disrupting device configuration and network services that rely on UPnP.
Exploitation is trivial from a LAN device, requiring only about 50 TCP connections, making it a high-severity risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by observing the router's HTTP server behavior when subjected to multiple incomplete HTTP requests. Specifically, if around 50 concurrent TCP connections with slow or incomplete HTTP headers are opened, the HTTP server will become permanently unresponsive, indicating the presence of the vulnerability.
To test this, you can use network tools to open multiple TCP connections to the router's HTTP port and send incomplete HTTP requests. For example, using tools like netcat (nc) or custom scripts to simulate slow HTTP headers can help detect the issue.
- Use netcat to open multiple connections: for i in {1..50}; do nc <router_ip> 80 & done
- Send incomplete HTTP headers slowly to exhaust the connection pool.
If the router's web admin interface and UPnP service on port 1900 become inaccessible and require physical power cycling to recover, this confirms the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding exposure of the router's HTTP admin interface to untrusted networks and limiting the number of concurrent connections from LAN devices.
Since the vendor has marked the product as end-of-life with no planned fixes, the following actions are recommended:
- Physically power cycle the router if it becomes unresponsive due to the attack.
- Restrict access to the router's web admin interface to trusted devices only.
- Monitor network traffic for unusual numbers of incomplete HTTP requests targeting the router.
- Consider replacing the affected router model with a supported device that receives security updates.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.