Skip to main content

Mercusys AC12G CVE-2026-36618

| EUVDEUVD-2026-34155 MEDIUM
Information Exposure (CWE-200)
2026-06-03 mitre GHSA-2876-5r6w-63mx
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 03, 2026 - 20:25 vuln.today
CVSS changed
Jun 03, 2026 - 20:22 NVD
4.3 (MEDIUM)
CVE Published
Jun 03, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 responds to version.bind CHAOS TXT queries, disclosing the DNS resolver software version (unbound 1.22.0), aiding targeted attacks against known vulnerabilities.

AnalysisAI

DNS version disclosure on Mercusys AC12G (EU) V1 router exposes the internal unbound 1.22.0 resolver version to unauthenticated adjacent-network attackers via CHAOS TXT queries. Any host on the same network segment can query 'version.bind' and receive a precise software version string, enabling targeted reconnaissance against known unbound vulnerabilities. No active exploitation or public exploit code has been identified at time of analysis, but the disclosure materially reduces attacker effort in follow-on attacks.

Technical ContextAI

The Mercusys AC12G (EU) V1 router running firmware AC12G(EU)_V1_200909 uses the unbound DNS resolver (version 1.22.0) as its recursive DNS component. The CHAOS class (CH) DNS query type, specifically the 'version.bind' TXT record, is a legacy diagnostic mechanism built into BIND and adopted by other resolvers including unbound. By default, unbound responds to these queries with the resolver's version string unless explicitly disabled via the 'hide-version' directive in unbound.conf. CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) applies because the software intentionally responds to this query with version data that should not be surfaced to untrusted network peers. The CPE data provided (cpe:2.3:a:n/a:n/a) is non-specific and does not enumerate unbound directly, but the description confirms unbound 1.22.0 is the affected component embedded in the device firmware.

RemediationAI

No vendor-released patch has been identified at time of analysis for this specific firmware version. The primary compensating control is to disable version disclosure in unbound by adding 'hide-version: yes' to the unbound configuration - however, on consumer routers like the AC12G, direct unbound configuration may not be accessible to end users through the standard management interface, limiting this option to users with shell access or custom firmware. As a network-level workaround, operators can restrict DNS query access to the router from untrusted VLAN segments or guest Wi-Fi networks, ensuring only trusted hosts can reach the resolver - this eliminates the adjacent-network attack surface. Users should monitor Mercusys for a firmware update that addresses this disclosure at the vendor's support portal. If the router is deployed in environments with untrusted co-located users (e.g., shared office networks), consider replacing the device with one that does not expose internal resolver version metadata.

Share

CVE-2026-36618 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy