Skip to main content

Mercusys AC12G EUVDEUVD-2026-34147

| CVE-2026-36608 HIGH
Unintended Proxy or Intermediary ('Confused Deputy') (CWE-441)
2026-06-03 mitre GHSA-2q23-65hh-rjx9
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 03, 2026 - 20:31 vuln.today
CVSS changed
Jun 03, 2026 - 19:22 NVD
8.8 (HIGH)
CVE Published
Jun 03, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 allows UPnP AddPortMapping to forward external ports to the router's own admin interface by accepting its own IP (192.168.1.1) or localhost (127.0.0.1) as InternalClient. An unauthenticated LAN attacker can expose the admin panel to the internet with a single SOAP request.

AnalysisAI

Unauthenticated LAN-to-WAN admin panel exposure in Mercusys AC12G (EU) V1 routers running firmware AC12G(EU)_V1_200909 allows any device on the local network to publish the router's own administrative interface to the public internet via a single UPnP SOAP request. Because the device fails to reject loopback and its own LAN IP as the InternalClient in AddPortMapping requests, an attacker can pivot a temporary LAN foothold into a permanent, internet-reachable management plane exposure. No public exploit is identified at time of analysis, but the technique is trivial and well-documented in the referenced advisory.

Technical ContextAI

The flaw lives in the router's UPnP IGD (Internet Gateway Device) implementation, which exposes a SOAP endpoint for WANIPConnection:AddPortMapping so that LAN clients (typically games, P2P apps, VoIP) can request inbound NAT pin-holes. CWE-441 (Unintended Proxy or Intermediary, 'Confused Deputy') applies because the router accepts InternalClient values pointing to itself - 192.168.1.1 (its own LAN gateway IP) or 127.0.0.1 (loopback) - and dutifully forwards a chosen WAN port to its own HTTP(S) administration service. A correctly hardened UPnP stack would refuse mappings whose InternalClient resolves to the gateway itself or to localhost, as recommended in UPnP IGD security guidance and RFC 6886/6887 implementation notes. The CPE field in the source data is a placeholder (cpe:2.3:a:n/a:n/a) and does not enumerate the actual product, so identification relies on the description and advisory; the affected device is the Mercusys AC12G (EU) V1 hardware revision running firmware build AC12G(EU)_V1_200909.

RemediationAI

No vendor-released patch identified at time of analysis - neither Mercusys' advisory page nor a fixed firmware build is referenced in the available data, so monitor the Mercusys support site for an AC12G(EU)_V1 firmware update superseding AC12G(EU)_V1_200909 and apply it as soon as published. As compensating controls, disable UPnP entirely in the router's NAT/Forwarding configuration (side effect: games, console NAT type, VoIP, and some P2P applications may require manual port forwarding); if UPnP must remain enabled, segment untrusted devices onto the guest SSID (which on Mercusys is typically isolated from the LAN and from the management interface) so they cannot reach the UPnP SOAP endpoint; additionally restrict the WAN-side admin interface by disabling 'Remote Management' and changing the admin port from defaults so that any mapping created by exploitation is less directly useful, and rotate the admin password since prior compromise via this vector cannot be ruled out. Reference advisory: https://github.com/Tymbark7372/MERCUSYS-AC12G/blob/master/advisories/CVE-2026-36608.md.

Share

EUVD-2026-34147 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy