CVE-2026-36611 in AC12G
Summary
by MITRE • 06/03/2026
Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 returns 128 bytes of uninitialized buffer when receiving POST requests without SOAPAction header on UPnP port 1900, exposing internal memory to unauthenticated adjacent network attackers.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/03/2026
This vulnerability exists in the Mercusys AC12G (EU) V1 wireless router firmware version AC12G(EU)_V1_200909 where the UPnP service fails to properly validate incoming POST requests on port 1900. When a client sends a POST request without a SOAPAction header, the device's UPnP implementation returns 128 bytes of uninitialized memory buffer data from the internal memory space. This represents a classic buffer over-read vulnerability that falls under CWE-126 - Buffer Over-read, where the application reads data from memory beyond the bounds of a valid buffer. The flaw occurs specifically within the UPnP service implementation that handles SOAP protocol messages, where proper input validation is missing for the SOAPAction header field. The vulnerability is particularly concerning because it exposes internal memory contents to unauthenticated attackers who are adjacent to the network, as defined by the ATT&CK technique T1046 - Network Service Scanning, where adversaries can probe network services for exploitable conditions. The affected device operates on port 1900, which is the standard UPnP discovery port, making it accessible to any device on the local network segment. This vulnerability can potentially expose sensitive information including device configuration data, memory addresses, or other internal state information that could aid in further exploitation. The uninitialized buffer exposure allows attackers to gather information about the device's internal memory layout and potentially extract useful data that could be used for privilege escalation or other advanced attacks. The vulnerability is classified as a network-based attack vector since it does not require physical access or authentication to exploit. According to the ATT&CK framework, this vulnerability could be leveraged as part of a reconnaissance phase under T1082 - System Information Discovery, where attackers gather information about the target system. The exposure of uninitialized memory data could reveal implementation details about the firmware, potentially exposing patterns or structures that could be used to craft more sophisticated attacks against the device. The impact of this vulnerability extends beyond simple information disclosure, as it could provide attackers with insights into the device's memory management patterns, which could be used to bypass security mechanisms or predict memory layouts for future exploitation attempts. The device's UPnP service implementation lacks proper bounds checking and input validation, creating a pathway for attackers to access memory contents that should remain private and protected. This type of vulnerability is particularly dangerous in networked environments where routers serve as central points of access, as the exposed memory could contain sensitive configuration parameters or authentication-related data that could compromise the entire network. The vulnerability demonstrates a fundamental flaw in secure coding practices where developers did not properly initialize memory buffers or validate input parameters before processing requests, which is a common pattern in embedded device firmware development. The exposure of 128 bytes of uninitialized memory represents a significant security risk that could be exploited by attackers to gain insights into the device's internal operations and potentially use this information to craft targeted attacks against the system. Network security professionals should consider this vulnerability when assessing the security posture of devices that utilize UPnP services, particularly in environments where adjacent network access is possible and where device firmware has not been updated to address known issues. The vulnerability highlights the importance of proper input validation and memory management in embedded systems, as these devices often serve critical network functions and their security vulnerabilities can have wide-ranging impacts on network infrastructure. Organizations should ensure that all network devices are regularly updated with the latest firmware patches that address known security vulnerabilities, particularly those that expose internal memory contents to external network entities. The security implications of this vulnerability extend to potential chain reactions where the exposed information could be used to identify other vulnerabilities or weaknesses in the device's overall security architecture, making it a critical issue that requires immediate attention and remediation.