Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 does not validate the HTTP Host header, enabling DNS rebinding attacks. An external attacker can rebind a domain to the router's internal IP address, extending the CORS wildcard vulnerability (Access-Control-Allow-Origin: *) to internet-originated attacks.
AnalysisAI
DNS rebinding on the Mercusys AC12G (EU) V1 router (firmware AC12G(EU)_V1_200909) exposes the router's web management interface to attacker-controlled external origins due to absent HTTP Host header validation. A remote unauthenticated attacker (per CVSS PR:N) can rebind a malicious domain to the router's LAN IP address, then leverage the router's pre-existing CORS wildcard (Access-Control-Allow-Origin: *) to read admin interface responses cross-origin from within the victim's browser. No public exploit beyond the researcher's advisory exists and no CISA KEV listing is present at time of analysis.
Technical ContextAI
CWE-350 (Reliance on Reverse DNS Resolution for a Security-Critical Action) describes the root cause: the router's embedded HTTP server does not validate the HTTP Host header against an allowlist of known-good values (LAN IP, hostname), which is the primary browser-enforced defense against DNS rebinding. DNS rebinding works by registering a domain with an extremely short TTL - initially resolving to the attacker's server to serve the malicious page, then immediately repointing DNS to the victim router's private IP (e.g., 192.168.1.1). The victim's browser, already holding a tab on the attacker's domain, reuses the origin context and routes subsequent XHR/fetch calls to the router. The compounding misconfiguration - CORS response header Access-Control-Allow-Origin: * - strips the same-origin policy backstop that would otherwise block the attacker's JavaScript from reading those responses. Affected hardware is specifically the Mercusys AC12G (EU) V1; the NVD CPE string cpe:2.3:a:n/a:n/a:*:*:*:*:*:*:*:* is unresolved, indicating the NVD has not yet formally catalogued precise CPE boundaries for this firmware.
RemediationAI
No vendor-released patch has been identified at time of analysis. The primary firmware-level fix would be for Mercusys to add Host header validation to the router's HTTP server, rejecting requests whose Host value does not match the router's configured LAN IP or hostname - users should monitor Mercusys firmware release notes for a corrective update. As an immediate network-level workaround, deploying a DNS resolver with anti-rebinding enforcement (dnsmasq --stop-dns-rebind flag, Pi-hole's DNSSEC/rebind protection, or pfSense/OPNsense DNS rebinding protection) at the LAN perimeter blocks the DNS phase of the attack before the browser can redirect requests; this has negligible trade-offs for home/SOHO networks. Disabling the router's web management interface access from the LAN entirely is not a realistic option for most users but would eliminate the attack surface. Restricting LAN access to the router admin UI to a single management host via firewall ACL reduces the pool of exploitable victims. References: researcher advisory at https://github.com/Tymbark7372/MERCUSYS-AC12G/blob/master/advisories/CVE-2026-36604.md; NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-36604.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34143
GHSA-rv93-ggmg-88r9