Skip to main content

Mercusys AC12G EUVDEUVD-2026-34143

| CVE-2026-36604 MEDIUM
Reliance on Reverse DNS Resolution for a Security-Critical Action (CWE-350)
2026-06-03 mitre GHSA-rv93-ggmg-88r9
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 03, 2026 - 20:23 vuln.today
CVSS changed
Jun 03, 2026 - 20:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 03, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 does not validate the HTTP Host header, enabling DNS rebinding attacks. An external attacker can rebind a domain to the router's internal IP address, extending the CORS wildcard vulnerability (Access-Control-Allow-Origin: *) to internet-originated attacks.

AnalysisAI

DNS rebinding on the Mercusys AC12G (EU) V1 router (firmware AC12G(EU)_V1_200909) exposes the router's web management interface to attacker-controlled external origins due to absent HTTP Host header validation. A remote unauthenticated attacker (per CVSS PR:N) can rebind a malicious domain to the router's LAN IP address, then leverage the router's pre-existing CORS wildcard (Access-Control-Allow-Origin: *) to read admin interface responses cross-origin from within the victim's browser. No public exploit beyond the researcher's advisory exists and no CISA KEV listing is present at time of analysis.

Technical ContextAI

CWE-350 (Reliance on Reverse DNS Resolution for a Security-Critical Action) describes the root cause: the router's embedded HTTP server does not validate the HTTP Host header against an allowlist of known-good values (LAN IP, hostname), which is the primary browser-enforced defense against DNS rebinding. DNS rebinding works by registering a domain with an extremely short TTL - initially resolving to the attacker's server to serve the malicious page, then immediately repointing DNS to the victim router's private IP (e.g., 192.168.1.1). The victim's browser, already holding a tab on the attacker's domain, reuses the origin context and routes subsequent XHR/fetch calls to the router. The compounding misconfiguration - CORS response header Access-Control-Allow-Origin: * - strips the same-origin policy backstop that would otherwise block the attacker's JavaScript from reading those responses. Affected hardware is specifically the Mercusys AC12G (EU) V1; the NVD CPE string cpe:2.3:a:n/a:n/a:*:*:*:*:*:*:*:* is unresolved, indicating the NVD has not yet formally catalogued precise CPE boundaries for this firmware.

RemediationAI

No vendor-released patch has been identified at time of analysis. The primary firmware-level fix would be for Mercusys to add Host header validation to the router's HTTP server, rejecting requests whose Host value does not match the router's configured LAN IP or hostname - users should monitor Mercusys firmware release notes for a corrective update. As an immediate network-level workaround, deploying a DNS resolver with anti-rebinding enforcement (dnsmasq --stop-dns-rebind flag, Pi-hole's DNSSEC/rebind protection, or pfSense/OPNsense DNS rebinding protection) at the LAN perimeter blocks the DNS phase of the attack before the browser can redirect requests; this has negligible trade-offs for home/SOHO networks. Disabling the router's web management interface access from the LAN entirely is not a realistic option for most users but would eliminate the attack surface. Restricting LAN access to the router admin UI to a single management host via firewall ACL reduces the pool of exploitable victims. References: researcher advisory at https://github.com/Tymbark7372/MERCUSYS-AC12G/blob/master/advisories/CVE-2026-36604.md; NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-36604.

Share

EUVD-2026-34143 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy