Skip to main content

Mercusys AC12G EUVDEUVD-2026-34150

| CVE-2026-36611 HIGH
Information Exposure (CWE-200)
2026-06-03 mitre GHSA-rh54-5hmc-6qjg
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Jun 03, 2026 - 20:23 vuln.today
CVSS changed
Jun 03, 2026 - 20:22 NVD
7.3 (HIGH)
CVE Published
Jun 03, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 returns 128 bytes of uninitialized buffer when receiving POST requests without SOAPAction header on UPnP port 1900, exposing internal memory to unauthenticated adjacent network attackers.

AnalysisAI

Information disclosure in Mercusys AC12G (EU) V1 router firmware AC12G(EU)_V1_200909 leaks 128 bytes of uninitialized memory when the UPnP service on port 1900 receives POST requests lacking a SOAPAction header, enabling unauthenticated adjacent-network attackers to harvest internal buffer contents. The flaw is rated CVSS 7.3 (low impact across CIA), and no public exploit identified at time of analysis, though the referenced GitHub advisory documents the issue with reproduction details.

Technical ContextAI

The vulnerability resides in the UPnP/SSDP handler on TCP/UDP port 1900, which is part of the device's automated service-discovery stack. The root cause maps to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor): when a POST request arrives without the expected SOAPAction header, the handler still allocates and returns a 128-byte response buffer but fails to initialize it, so prior heap/stack contents are echoed back to the requester. UPnP is intended for LAN service negotiation, and Mercusys AC12G is a consumer dual-band Wi-Fi router built on a typical embedded Linux firmware where such uninitialized-memory leaks frequently expose session tokens, credentials, or pointer values useful for chaining further attacks. The provided CPE string (cpe:2.3:a:n/a:n/a) is a placeholder and does not enumerate the actual hardware/firmware CPE.

RemediationAI

No vendor-released patch identified at time of analysis - Mercusys has not published an advisory or fixed firmware in the supplied references, so administrators should monitor https://www.mercusys.com for firmware updates beyond AC12G(EU)_V1_200909 and consult the researcher advisory at https://github.com/Tymbark7372/MERCUSYS-AC12G/blob/master/advisories/CVE-2026-36611.md for current status. As compensating controls, disable the UPnP service on the router (this breaks automatic port-mapping for games, VoIP, and some peer-to-peer applications but eliminates the vulnerable listener), or block inbound traffic to TCP/UDP port 1900 from the LAN at a downstream firewall or managed switch where feasible (this also breaks UPnP discovery for clients on that segment). Segregate untrusted devices (guest Wi-Fi, IoT) onto a separate VLAN that cannot reach the router's management interface, and consider replacing the device if vendor support has lapsed.

Share

EUVD-2026-34150 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy