HIGH 8.1

CVE-2026-36603: Mercusys AC12G Unauthenticated UPnP Port Forwarding Vulnerability

The Mercusys AC12G (EU) V1 router running firmware version AC12G(EU)_V1_200909 contains a critical authentication bypass vulnerability in its UPnP (Universal Plug and Play) implementation. Any device connected to the router's local network can manipulate port forwarding rules and retrieve WAN connection details without providing credentials. Since UPnP is enabled by default, attackers with LAN access gain the ability to redirect internet traffic, expose internal services, or exfiltrate data—creating a serious risk for home and small-office networks.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.1 HIGH · CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Weaknesses (CWE)
CWE-306
Affected products
0 configuration(s)
Published / Modified
2026-06-03 / 2026-06-17

NVD description (verbatim)

Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 exposes 15 of 18 UPnP IGD actions without authentication on port 1900, including AddPortMapping and GetExternalIPAddress. UPnP is enabled by default through the admin interface, allowing any unauthenticated LAN device to create arbitrary port forwarding rules and access WAN traffic statistics.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from missing authentication checks on 15 of 18 UPnP IGD (Internet Gateway Device) actions exposed on port 1900. The affected actions include AddPortMapping, which allows arbitrary inbound port-to-LAN-device mappings, and GetExternalIPAddress, which reveals WAN-side network information. The root cause is classified as CWE-306 (Missing Authentication for Critical Function). An unauthenticated UPnP client on the LAN can send SOAP/XML requests to invoke these actions without presenting valid credentials, bypassing the router's access controls. The vulnerability requires network adjacency (AV:A in CVSS terms) but no user interaction and succeeds under standard conditions (AC:L).

Business impact

Organizations and households relying on this router model face compromised perimeter security. Attackers with physical or wireless access to the network can silently establish port forwarding rules, allowing them to expose internal servers, intercept or redirect user traffic, or maintain persistent backdoor access. For small businesses using this device, the risk extends to confidentiality and integrity of all connected systems. Remediation requires firmware updates or manual UPnP disablement, creating operational overhead during the patching window.

Affected systems

Mercusys AC12G (EU) V1 routers running firmware AC12G(EU)_V1_200909 are confirmed affected. Verify whether additional firmware revisions or regional variants are impacted by consulting the Mercusys security advisory. The vulnerability's reliance on LAN access restricts the attack surface to devices already on the network or those able to connect via Wi-Fi, though default credentials or weak Wi-Fi passwords increase practical risk.

Exploitability

Exploitation requires network adjacency but is trivial once that access is obtained. No special tools beyond standard UPnP client libraries are needed; proof-of-concept attacks can be constructed quickly. The default-enabled UPnP setting means most users have not explicitly activated the vulnerable code path. The CVSS score of 8.1 (HIGH) reflects high impact on confidentiality and integrity, offset only by the requirement for local network presence. Real-world exploitation is likely if an attacker gains Wi-Fi access or if internal network segmentation is absent.

Remediation

Mercusys should release a patched firmware version addressing the authentication bypass by enforcing authentication on all UPnP IGD actions. Interim mitigations include disabling UPnP through the router's admin interface (accessible at the router's IP address, typically 192.168.0.1), which eliminates the attack surface entirely. Users lacking vendor updates should apply the UPnP disablement workaround immediately. Network segmentation—isolating IoT and network devices on a restricted VLAN—can reduce blast radius for organizations unable to update quickly.

Patch guidance

Monitor the Mercusys support website and security advisories for a firmware release addressing CVE-2026-36603. When available, the patch should be applied via the router's web interface (Administration > Firmware Upgrade). Verify the updated firmware version number against the vendor advisory before deployment. For environments requiring continuity, consider staggered rollout to a test router first. If no patch is forthcoming, UPnP disablement becomes the permanent mitigation strategy.

Detection guidance

Monitor network traffic on port 1900 (UDP) for UPnP SOAP requests originating from unexpected LAN devices. Intrusion detection signatures can flag SOAP requests containing 'AddPortMapping' or 'GetExternalIPAddress' actions sent to the router. Enable router logging (if available) to capture UPnP service invocations. On the router's web interface, review the Port Forwarding or Virtual Server settings for unexpected rules that may indicate prior exploitation. Wireless network monitoring can identify unauthorized device associations that might precede an attack.

Why prioritize this

This vulnerability should be prioritized as HIGH due to its ease of exploitation once LAN access is gained, the default-enabled UPnP setting, and the direct path to compromised network integrity. Organizations using this router model in production environments or branch offices should treat patching or mitigation as urgent. The impact—unauthorized port mapping and WAN data exposure—directly undermines network perimeter controls. Although the attack surface is geographically limited to the local network, the severity of the compromise justifies rapid remediation.

Risk score, explained

The CVSS 3.1 score of 8.1 reflects the combination of HIGH confidentiality and integrity impacts (C:H/I:H) against no availability impact (A:N). The vector AV:A/AC:L/PR:N/UI:N indicates that only network adjacency and the ability to send UPnP requests are required; no privileges, complex configuration, or user interaction is necessary. The score appropriately captures the severity of allowing unauthorized port forwarding and external IP address leakage, while acknowledging the practical constraint that the attacker must already be on or connected to the LAN.

Frequently asked questions

Can I be exploited if I disable Wi-Fi or use a strong Wi-Fi password?

A strong Wi-Fi password significantly raises the barrier for exploitation but does not eliminate risk entirely. An attacker with wired access to the LAN, a compromised device already on the network, or a weak Wi-Fi password can still exploit the vulnerability. Disabling UPnP is the most reliable mitigation.

Is there a way to check if my router has been exploited?

Review the router's Port Forwarding or Virtual Server configuration in the admin interface for unexpected rules you did not create. Enable logging if available and check for UPnP service activity. If you find unknown port mappings, immediately disable UPnP and change your router's admin credentials.

Does this vulnerability affect routers outside the EU regional variant?

The vulnerability is confirmed in the AC12G (EU) V1 variant. Other regional models or hardware revisions may or may not be affected. Check Mercusys advisories to determine which SKUs are in scope, and do not assume safety based on region alone.

What is UPnP and why is it enabled by default?

UPnP (Universal Plug and Play) is a protocol that allows devices to automatically configure port forwarding and discover network services without manual configuration. It is convenient for gaming, video conferencing, and peer-to-peer applications but introduces security risk if not properly authenticated. Many routers enable it by default to improve user experience at the cost of security.

This analysis is based on published vulnerability data as of the modification date (2026-06-17) and should not be treated as legal or vendor-specific authorization. Patch versions, availability dates, and detailed remediation steps must be verified against official Mercusys security advisories and product documentation. Organizations should conduct internal testing and risk assessments before deploying mitigations in production environments. SEC.co makes no warranty regarding the completeness or accuracy of third-party vendor patch information and recommends direct contact with Mercusys support for definitive guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).