CVE-2026-36608
Deferred Deferred - Pending Action
UPnP Port Forwarding to Admin Interface in Mercusys AC12G (EU) V1

Publication date: 2026-06-03

Last updated on: 2026-06-03

Assigner: MITRE

Description
Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 allows UPnP AddPortMapping to forward external ports to the router's own admin interface by accepting its own IP (192.168.1.1) or localhost (127.0.0.1) as InternalClient. An unauthenticated LAN attacker can expose the admin panel to the internet with a single SOAP request.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-03
Generated
2026-06-24
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-22
NVD
CVE-2026-36608
EUVD
EUVD-2026-34147
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
mercusys ac12g ac12g(eu)_v1_200909
mercusys ac12g ac12g(eu)_v1_210128
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-441 The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-36608 affects the Mercusys AC12G (EU) V1 router with specific firmware versions. The vulnerability lies in the UPnP AddPortMapping action, which does not properly validate the InternalClient parameter.

An unauthenticated attacker on the local network can exploit this by specifying the router's own IP address (192.168.1.1) or localhost (127.0.0.1) as the internal client. This creates a port forwarding rule that exposes the router's admin panel (usually on port 80) to the internet through the WAN port.

The attack requires only a single unauthenticated SOAP request, and the port mapping remains until manually removed or the router is rebooted. No logs are generated for this action, so the user remains unaware that the admin panel is exposed.

Impact Analysis

This vulnerability can critically impact you by exposing your router's administrative interface to the internet without authentication.

An attacker can remotely access the admin panel via the WAN IP, potentially allowing them to change router settings, intercept traffic, or compromise your network.

If combined with other vulnerabilities like CVE-2026-36607 (lack of rate limiting), the attacker could brute-force the admin credentials, leading to full control over the router.

Since the port forwarding rule persists until manual removal or reboot, the exposure can last indefinitely without user awareness.

Detection Guidance

This vulnerability can be detected by checking if the router has any UPnP port forwarding rules that map external ports to the router's own IP address (192.168.1.1) or localhost (127.0.0.1), especially forwarding port 80 (the admin panel) to the WAN interface.

Since the exploit involves the UPnP AddPortMapping action creating such rules without authentication and without log entries, detection involves querying the router's UPnP port mappings to identify any suspicious entries.

You can use UPnP client tools or commands to list current port mappings. For example, on a Linux system, you can use the 'upnpc' command from the miniupnpc package:

  • upnpc -l

Review the output for any port forwarding entries where the internal client IP is 192.168.1.1 or 127.0.0.1, especially those forwarding port 80.

Alternatively, you can scan the WAN IP of the router for open port 80 to see if the admin panel is exposed externally.

  • nmap -p 80 <router_wan_ip>
Mitigation Strategies

Immediate mitigation steps include manually removing any UPnP port forwarding rules that expose the router's admin interface to the internet, especially those forwarding port 80 to 192.168.1.1 or 127.0.0.1.

Rebooting the router will clear the port mapping rules created by this vulnerability, but the issue may reoccur if the router is exploited again.

Disable UPnP on the router if possible, to prevent unauthenticated port mapping requests.

Restrict access to the router's admin interface by limiting it to LAN only and not exposing it to the WAN.

Since the vendor has marked the product as end-of-life with no planned fixes, consider replacing the router with a supported device that implements proper UPnP validation and authentication.

Compliance Impact

The vulnerability allows an unauthenticated attacker on the local network to expose the router's admin interface to the internet without user awareness, potentially leading to unauthorized remote access and control.

Such unauthorized exposure of administrative interfaces can lead to breaches of confidentiality, integrity, and availability of network devices, which may result in non-compliance with data protection regulations like GDPR and HIPAA that require safeguarding access to sensitive systems and data.

Since the vulnerability enables persistent unauthorized access without logging or user notification, it undermines security controls that are often mandated by these standards to prevent unauthorized access and ensure auditability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-36608. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart