MEDIUM 4.3

CVE-2026-36602: Mercusys AC12G Kernel Memory Disclosure via UPnP

A Mercusys AC12G (EU) V1 router running firmware AC12G(EU)_V1_200909 has a flaw in its UPnP service that exposes internal kernel memory addresses to anyone on the same network segment. An attacker can query the router's UPnP interface to extract a raw MIPS kernel pointer, effectively creating a roadmap of how the router's operating system is laid out in memory. While this doesn't directly compromise the device, it removes a significant barrier to follow-up attacks by revealing memory layout details that are normally hidden.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-200
Affected products
0 configuration(s)
Published / Modified
2026-06-03 / 2026-06-17

NVD description (verbatim)

Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 discloses kernel memory layout via the UPnP GetStatusInfo action. An unauthenticated attacker on the adjacent network can obtain a raw MIPS KSEG0 kernel pointer, revealing kernel memory layout and aiding further exploitation.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability is an information disclosure issue in the UPnP GetStatusInfo action handler. The affected firmware fails to sanitize kernel memory pointers before returning them in UPnP responses. Specifically, a MIPS KSEG0 kernel pointer is leaked, allowing an unauthenticated, adjacent-network attacker to infer the kernel's virtual memory layout. KSEG0 is a cached, unmapped segment in MIPS architecture where the kernel typically resides; its disclosure defeats address space layout randomization (ASLR) protections on the device. This information is valuable for chaining with other vulnerabilities to achieve code execution or privilege escalation.

Business impact

For organizations relying on Mercusys AC12G routers, this vulnerability degrades the security posture of the network perimeter. While not immediately exploitable for full compromise, it significantly accelerates attack development against the device. Attackers who identify this router on a network can extract memory layout information as a precursor to launching a targeted exploit. The adjacent-network requirement limits the attack surface to local and guest networks, but in BYOD or shared-network environments, this remains a material risk. Remediation delays increase exposure to multi-stage compromise chains.

Affected systems

Mercusys AC12G (EU) V1 router running firmware version AC12G(EU)_V1_200909. The vulnerability is specific to this firmware version; later firmware releases may or may not be affected. Mercusys devices are commonly deployed in small office and home office (SOHO) environments as well as enterprise branch offices. Any network hosting this exact hardware and firmware combination is at risk if the router is accessible to untrusted adjacent network segments (guest networks, corporate wireless, etc.).

Exploitability

Exploitability is straightforward from a technical standpoint: an unauthenticated attacker on the adjacent network (same LAN, wireless network, or VPN segment) can trigger the UPnP GetStatusInfo action and parse the response to extract the kernel pointer. No authentication is required, no user interaction is necessary, and no special privileges are required on the attacker's end. The attack is passive from the victim's perspective and leaves minimal forensic evidence. However, exploitation requires the attacker to be on the adjacent network and to actively query the UPnP service, which may be blocked by firewall rules or network segmentation. The CVSS score of 4.3 (Medium) reflects that while disclosure occurs and attack complexity is low, impact is limited to confidentiality and the attack surface is restricted to adjacent networks.

Remediation

Upgrade to a patched firmware version released by Mercusys that addresses the UPnP pointer disclosure. Verify the firmware version on affected routers and contact Mercusys support or check their firmware download page for available updates. In the interim, restrict UPnP access to trusted network segments only and disable UPnP on the router's WAN interface if not required. Network segmentation—isolating guest and untrusted networks from administrative network segments—also reduces the risk of an attacker leveraging this disclosure to compromise critical systems.

Patch guidance

Check the Mercusys support portal or the router's admin interface for the latest available firmware version. The current affected version is AC12G(EU)_V1_200909. Upgrade via the router's web admin panel (System Tools > Firmware) or download the firmware file directly from Mercusys and perform a manual update. Ensure the router is connected to power and an active network during the update process. Verify the update was successful by confirming the new firmware version in the System Settings page post-reboot. Document the update timestamp for compliance records.

Detection guidance

Monitor UPnP traffic on your network for GetStatusInfo queries to Mercusys devices, particularly from unexpected or untrusted source IP addresses. Network IDS/IPS solutions can detect UPnP discovery and exploitation patterns. Endpoint detection and response (EDR) tools may flag suspicious processes attempting to parse UPnP responses. On the router itself, enable debug logging if available and review logs for UPnP service access. Perform inventory scans to identify all Mercusys AC12G devices and confirm their firmware versions; automated vulnerability scanners that check UPnP endpoint responses can help flag exposure. Consider disabling UPnP entirely if not operationally required and replacing it with more secure alternatives like UPNP-IGD over HTTPS.

Why prioritize this

This vulnerability should be prioritized for patching in environments where Mercusys AC12G (EU) V1 routers are deployed, particularly in networks with guest or untrusted adjacent segments. While the CVSS score is Medium and the exploit requires network adjacency, the ease of exploitation and the role of kernel memory disclosure in enabling advanced attacks warrant timely remediation. Organizations with strong network segmentation and no exposed UPnP services can defer patching but should still plan for upgrade windows. Prioritize devices acting as gateways to high-value assets or in multi-tenant environments.

Risk score, explained

The CVSS 3.1 score of 4.3 reflects a Medium severity rating. The AV:A (Adjacent Network) vector restricts the attack to local network attackers, preventing remote exploitation over the internet. AC:L (Low complexity) indicates minimal technical barriers to exploitation. PR:N and UI:N indicate no authentication or user interaction is required, making the attack immediate and passive. The C:L (Low confidentiality impact) reflects information disclosure limited to memory layout, not sensitive user data or encryption keys. The I:N (No integrity impact) and A:N (No availability impact) mean the router's function and data integrity are not directly compromised. The scope is Unchanged, confirming the impact does not propagate beyond the affected system's security domain. While the score is moderate, the vulnerability's value in reconnaissance for subsequent attacks elevates its practical importance beyond the numerical rating.

Frequently asked questions

Can this vulnerability be exploited from the internet?

No. The CVSS vector AV:A (Adjacent Network) means the attacker must be on the same network segment as the router—the local LAN, wireless network, or an active VPN connection. The UPnP service is typically not exposed to the internet unless explicitly port-forwarded, which is uncommon. However, an attacker with guest network access, rogue WiFi connection, or LAN access can exploit it.

What does the leaked kernel pointer reveal?

A MIPS KSEG0 kernel pointer reveals the virtual address where the kernel code and data are loaded in memory. This defeats ASLR protections specific to the kernel, allowing an attacker to predict the location of kernel functions and data structures. By itself, this does not grant code execution, but it is a critical first step in developing kernel exploits, privilege escalation, or attacks against kernel security features.

Is there a public exploit for this vulnerability?

As of the published date (June 3, 2026), there is no indication of public exploit code. The vulnerability has not been added to the CISA Known Exploited Vulnerabilities (KEV) catalog. However, given the simplicity of exploitation (querying UPnP), threat actors may develop or use private exploits as part of reconnaissance campaigns. Patching should not be delayed in anticipation of public code.

Do I need to disable UPnP entirely?

Disabling UPnP is a reasonable hardening step if your network does not rely on automatic port mapping for games, peer-to-peer applications, or IoT devices. Many enterprise networks operate safely without UPnP by using manual port configurations or VPNs. If UPnP is required, restrict it to trusted network segments only and ensure the router firmware is fully patched.

This analysis is provided for informational and educational purposes. The information herein reflects the vulnerability details as published and available at the time of writing. Mercusys firmware versions, patch availability, and network configurations may vary; organizations should verify all technical details against official vendor advisories and conduct internal testing before deploying patches. SEC.co makes no warranty regarding the accuracy, completeness, or timeliness of this analysis. Organizations are responsible for assessing their own risk and implementing appropriate mitigations based on their environment and threat model. No exploit code or weaponized proof-of-concept is provided or endorsed. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).