CVE-2026-36608
UPnP Port Forwarding to Admin Interface in Mercusys AC12G (EU) V1
Publication date: 2026-06-03
Last updated on: 2026-06-03
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mercusys | ac12g | ac12g(eu)_v1_200909 |
| mercusys | ac12g | ac12g(eu)_v1_210128 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-441 | The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-36608 affects the Mercusys AC12G (EU) V1 router with specific firmware versions. The vulnerability lies in the UPnP AddPortMapping action, which does not properly validate the InternalClient parameter.
An unauthenticated attacker on the local network can exploit this by specifying the router's own IP address (192.168.1.1) or localhost (127.0.0.1) as the internal client. This creates a port forwarding rule that exposes the router's admin panel (usually on port 80) to the internet through the WAN port.
The attack requires only a single unauthenticated SOAP request, and the port mapping remains until manually removed or the router is rebooted. No logs are generated for this action, so the user remains unaware that the admin panel is exposed.
How can this vulnerability impact me? :
This vulnerability can critically impact you by exposing your router's administrative interface to the internet without authentication.
An attacker can remotely access the admin panel via the WAN IP, potentially allowing them to change router settings, intercept traffic, or compromise your network.
If combined with other vulnerabilities like CVE-2026-36607 (lack of rate limiting), the attacker could brute-force the admin credentials, leading to full control over the router.
Since the port forwarding rule persists until manual removal or reboot, the exposure can last indefinitely without user awareness.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the router has any UPnP port forwarding rules that map external ports to the router's own IP address (192.168.1.1) or localhost (127.0.0.1), especially forwarding port 80 (the admin panel) to the WAN interface.
Since the exploit involves the UPnP AddPortMapping action creating such rules without authentication and without log entries, detection involves querying the router's UPnP port mappings to identify any suspicious entries.
You can use UPnP client tools or commands to list current port mappings. For example, on a Linux system, you can use the 'upnpc' command from the miniupnpc package:
- upnpc -l
Review the output for any port forwarding entries where the internal client IP is 192.168.1.1 or 127.0.0.1, especially those forwarding port 80.
Alternatively, you can scan the WAN IP of the router for open port 80 to see if the admin panel is exposed externally.
- nmap -p 80 <router_wan_ip>
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include manually removing any UPnP port forwarding rules that expose the router's admin interface to the internet, especially those forwarding port 80 to 192.168.1.1 or 127.0.0.1.
Rebooting the router will clear the port mapping rules created by this vulnerability, but the issue may reoccur if the router is exploited again.
Disable UPnP on the router if possible, to prevent unauthenticated port mapping requests.
Restrict access to the router's admin interface by limiting it to LAN only and not exposing it to the WAN.
Since the vendor has marked the product as end-of-life with no planned fixes, consider replacing the router with a supported device that implements proper UPnP validation and authentication.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an unauthenticated attacker on the local network to expose the router's admin interface to the internet without user awareness, potentially leading to unauthorized remote access and control.
Such unauthorized exposure of administrative interfaces can lead to breaches of confidentiality, integrity, and availability of network devices, which may result in non-compliance with data protection regulations like GDPR and HIPAA that require safeguarding access to sensitive systems and data.
Since the vulnerability enables persistent unauthorized access without logging or user notification, it undermines security controls that are often mandated by these standards to prevent unauthorized access and ensure auditability.