CVE-2026-36611
Mercusys AC12G Uninitialized Buffer Exposure via UPnP POST Request
Publication date: 2026-06-03
Last updated on: 2026-06-03
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mercusys | ac12g | ac12g(eu)_v1_200909 |
| mercusys | ac12g | ac12g(eu)_v1_210128 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-36611 affects the Mercusys AC12G (EU) V1 router with specific firmware versions. The vulnerability occurs in the UPnP service running on port 1900, where if a POST request is sent without the required SOAPAction header, the device responds with 128 bytes of uninitialized internal buffer data instead of a proper error message.
This uninitialized buffer disclosure exposes internal memory contents such as parsed request headers, fragments of previous HTTP responses, and other sensitive internal data. The root cause is shared buffer management between the UPnP HTTP server and the main web interface.
Importantly, no authentication is required to exploit this vulnerability, and it can be triggered by an attacker on an adjacent network.
How can this vulnerability impact me? :
This vulnerability can lead to unintended disclosure of internal memory contents from the affected router. An attacker on the same local network can exploit this flaw to obtain sensitive information such as fragments of HTTP requests and responses, which may include confidential data or clues useful for further attacks.
Since the vulnerability requires no authentication, it lowers the barrier for attackers to gain insights into the device's internal state, potentially aiding in reconnaissance or exploitation of other vulnerabilities.
The affected product is end-of-life with no planned fixes, meaning the risk remains unless the device is replaced or mitigated by network controls.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending a POST request without the SOAPAction header to the UPnP service on port 1900 of the Mercusys AC12G (EU) V1 router. If the device responds with 128 bytes of uninitialized internal buffer data instead of a proper error message, it indicates the presence of the vulnerability.
A possible command to test this could be using curl or a similar HTTP client to send a POST request without the SOAPAction header to port 1900. For example:
- curl -v -X POST http://[router_ip]:1900/ -H "Content-Type: text/xml" --header "SOAPAction:"
If the response contains unexpected 128 bytes of data that appear to be uninitialized memory or fragments of internal data, the device is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
Since the affected Mercusys AC12G (EU) V1 router is end-of-life with no planned fixes, immediate mitigation steps include:
- Restrict access to the UPnP port 1900 service to trusted and authenticated networks only, preventing unauthenticated adjacent network attackers from reaching the device.
- Disable UPnP services on the router if they are not required.
- Monitor network traffic for suspicious POST requests to port 1900 without SOAPAction headers.
Long term, consider replacing the affected device with a supported model that receives security updates.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.