Executive Summary

CVE-2026-36618 is a vulnerability in the Mercusys AC12G (EU) V1 router firmware that causes the DNS resolver to disclose its software version and internal hostname when responding to specific DNS queries (CHAOS class TXT queries for version.bind and hostname.bind).

This means that any device on the local network can send these special DNS queries to the router and receive information revealing that the DNS resolver is running Unbound version 1.22.0 and the internal hostname "mms-unbound."

This information disclosure can help attackers identify known vulnerabilities associated with that specific software version, enabling them to launch targeted attacks.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability disclosed in CVE-2026-36618 involves the exposure of the DNS resolver software version and internal hostname via CHAOS TXT queries. This information disclosure could aid attackers in targeting known vulnerabilities, potentially leading to unauthorized access or data breaches.

While the provided information does not explicitly mention compliance with standards such as GDPR or HIPAA, the exposure of internal system details could increase the risk of attacks that compromise confidentiality and integrity of data, which are critical aspects of these regulations.

Therefore, organizations using the affected Mercusys AC12G (EU) V1 router should consider this vulnerability as a factor that may impact their security posture and compliance efforts, especially regarding protecting personal or sensitive data.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can impact you by providing attackers on your local network with detailed information about the DNS resolver software version and internal hostname of your router.

With this information, attackers can identify known vulnerabilities related to Unbound 1.22.0 and potentially exploit them to compromise your network or devices.

Although the severity is rated as low (CVSS score 3.7), it still increases the risk of targeted attacks against your network.

Additionally, the affected product is end-of-life with no planned fixes, so mitigation requires manual configuration changes.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by sending DNS CHAOS class TXT queries to the router's DNS resolver to check if it responds with version information.

• Use the command: dig @<router_ip> version.bind TXT CHAOS
• Use the command: dig @<router_ip> hostname.bind TXT CHAOS

If the router responds with the Unbound DNS resolver version (e.g., unbound 1.22.0) or internal hostname (e.g., mms-unbound), the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation involves configuring the Unbound DNS resolver on the affected router to hide version and identity information.

• Set the Unbound configuration option hide-version to yes.
• Set the Unbound configuration option hide-identity to yes.

Note that the affected product is end-of-life with no planned fixes, so these configuration changes are the recommended mitigation.

Useful 0 Not Useful 0