Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-36611 affects the Mercusys AC12G (EU) V1 router with specific firmware versions. The vulnerability occurs in the UPnP service running on port 1900, where if a POST request is sent without the required SOAPAction header, the device responds with 128 bytes of uninitialized internal buffer data instead of a proper error message.

This uninitialized buffer disclosure exposes internal memory contents such as parsed request headers, fragments of previous HTTP responses, and other sensitive internal data. The root cause is shared buffer management between the UPnP HTTP server and the main web interface.

Importantly, no authentication is required to exploit this vulnerability, and it can be triggered by an attacker on an adjacent network.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unintended disclosure of internal memory contents from the affected router. An attacker on the same local network can exploit this flaw to obtain sensitive information such as fragments of HTTP requests and responses, which may include confidential data or clues useful for further attacks.

Since the vulnerability requires no authentication, it lowers the barrier for attackers to gain insights into the device's internal state, potentially aiding in reconnaissance or exploitation of other vulnerabilities.

The affected product is end-of-life with no planned fixes, meaning the risk remains unless the device is replaced or mitigated by network controls.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by sending a POST request without the SOAPAction header to the UPnP service on port 1900 of the Mercusys AC12G (EU) V1 router. If the device responds with 128 bytes of uninitialized internal buffer data instead of a proper error message, it indicates the presence of the vulnerability.

A possible command to test this could be using curl or a similar HTTP client to send a POST request without the SOAPAction header to port 1900. For example:

• curl -v -X POST http://[router_ip]:1900/ -H "Content-Type: text/xml" --header "SOAPAction:"

If the response contains unexpected 128 bytes of data that appear to be uninitialized memory or fragments of internal data, the device is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

Since the affected Mercusys AC12G (EU) V1 router is end-of-life with no planned fixes, immediate mitigation steps include:

• Restrict access to the UPnP port 1900 service to trusted and authenticated networks only, preventing unauthenticated adjacent network attackers from reaching the device.
• Disable UPnP services on the router if they are not required.
• Monitor network traffic for suspicious POST requests to port 1900 without SOAPAction headers.

Long term, consider replacing the affected device with a supported model that receives security updates.

Useful 0 Not Useful 0