CVE-2026-36618
Mercusys AC12G (EU) V1 Unbound DNS Version Disclosure
Publication date: 2026-06-03
Last updated on: 2026-06-03
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mercusys | ac12g | * |
| unbound | unbound | 1.22.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability disclosed in CVE-2026-36618 involves the exposure of the DNS resolver software version and internal hostname via CHAOS TXT queries. This information disclosure could aid attackers in targeting known vulnerabilities, potentially leading to unauthorized access or data breaches.
While the provided information does not explicitly mention compliance with standards such as GDPR or HIPAA, the exposure of internal system details could increase the risk of attacks that compromise confidentiality and integrity of data, which are critical aspects of these regulations.
Therefore, organizations using the affected Mercusys AC12G (EU) V1 router should consider this vulnerability as a factor that may impact their security posture and compliance efforts, especially regarding protecting personal or sensitive data.
Can you explain this vulnerability to me?
CVE-2026-36618 is a vulnerability in the Mercusys AC12G (EU) V1 router firmware that causes the DNS resolver to disclose its software version and internal hostname when responding to specific DNS queries (CHAOS class TXT queries for version.bind and hostname.bind).
This means that any device on the local network can send these special DNS queries to the router and receive information revealing that the DNS resolver is running Unbound version 1.22.0 and the internal hostname "mms-unbound."
This information disclosure can help attackers identify known vulnerabilities associated with that specific software version, enabling them to launch targeted attacks.
How can this vulnerability impact me? :
The vulnerability can impact you by providing attackers on your local network with detailed information about the DNS resolver software version and internal hostname of your router.
With this information, attackers can identify known vulnerabilities related to Unbound 1.22.0 and potentially exploit them to compromise your network or devices.
Although the severity is rated as low (CVSS score 3.7), it still increases the risk of targeted attacks against your network.
Additionally, the affected product is end-of-life with no planned fixes, so mitigation requires manual configuration changes.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending DNS CHAOS class TXT queries to the router's DNS resolver to check if it responds with version information.
- Use the command: dig @<router_ip> version.bind TXT CHAOS
- Use the command: dig @<router_ip> hostname.bind TXT CHAOS
If the router responds with the Unbound DNS resolver version (e.g., unbound 1.22.0) or internal hostname (e.g., mms-unbound), the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves configuring the Unbound DNS resolver on the affected router to hide version and identity information.
- Set the Unbound configuration option hide-version to yes.
- Set the Unbound configuration option hide-identity to yes.
Note that the affected product is end-of-life with no planned fixes, so these configuration changes are the recommended mitigation.