CVE-2026-36608 in AC12G
Summary
by MITRE • 06/03/2026
Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 allows UPnP AddPortMapping to forward external ports to the router's own admin interface by accepting its own IP (192.168.1.1) or localhost (127.0.0.1) as InternalClient. An unauthenticated LAN attacker can expose the admin panel to the internet with a single SOAP request.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/03/2026
This vulnerability exists in the Mercusys AC12G (EU) V1 router firmware version AC12G(EU)_V1_200909 where the Universal Plug and Play UPnP implementation fails to properly validate internal client addresses during port mapping operations. The flaw allows an attacker to specify the router's own IP address 192.168.1.1 or localhost 127.0.0.1 as the InternalClient parameter in the AddPortMapping SOAP request, which bypasses normal access controls and enables the exposure of the router's administrative interface to external networks. This represents a critical security weakness that aligns with CWE-284 Access Control Issues and specifically manifests as an improper access control vulnerability within the UPnP service implementation. The vulnerability is particularly concerning because it requires no authentication from the attacking LAN user and can be exploited through a single SOAP request, making it highly accessible to attackers within the local network segment.
The operational impact of this vulnerability is severe as it allows an unauthenticated attacker to remotely expose the router's administrative panel to the internet without requiring any privileged credentials or complex exploitation techniques. Once the port mapping is established, the attacker can access the router's web-based administration interface from external networks, potentially gaining full control over router configuration settings, network parameters, and administrative functions. This creates an immediate risk of unauthorized access to the network infrastructure, enabling attackers to modify firewall rules, change administrator passwords, configure port forwarding for other malicious services, or even redirect traffic to malicious endpoints. The attack can be executed entirely from within the local network, making it particularly dangerous in environments where internal network monitoring is insufficient or where users may be tricked into executing malicious commands through social engineering.
From a threat modeling perspective, this vulnerability maps to multiple ATT&CK techniques including T1071.004 Application Layer Protocol: DNS and T1046 Network Service Scanning, as the attacker can leverage the UPnP service to establish persistent access to the administrative interface. The vulnerability also relates to T1566 Credential Access: Phishing and T1021.001 Remote Services: Remote Desktop Protocol, as it enables unauthorized remote access to network administration functions. Network segmentation protections are effectively bypassed since the UPnP service allows arbitrary port mapping without proper validation of internal client addresses. The vulnerability demonstrates a fundamental flaw in network service implementation where the UPnP service fails to properly validate its own internal addresses, creating an access control bypass that could be leveraged for further attacks within the network. Organizations should implement immediate network segmentation controls and disable UPnP services on affected routers to prevent exploitation.
Mitigation strategies should include disabling UPnP services entirely on affected routers, as this is the most effective immediate solution to prevent exploitation. Network administrators should also implement strict firewall rules to prevent external access to administrative interfaces and ensure that only authorized internal IP addresses can access router management functions. Regular firmware updates should be applied to address known vulnerabilities, and network monitoring should be enhanced to detect unusual port mapping activities or unauthorized access attempts to administrative interfaces. The vulnerability highlights the importance of proper input validation and access control implementation in network services, particularly those that provide remote management capabilities. Organizations should conduct regular vulnerability assessments of network infrastructure devices to identify similar flaws in other network services and ensure that proper security controls are in place to prevent unauthorized access to critical network management functions. Additionally, implementing network access control lists and monitoring for suspicious UPnP activity can provide early detection of potential exploitation attempts.