CVE-2026-36604: Mercusys AC12G Router DNS Rebinding & CORS Vulnerability
A Mercusys AC12G (EU) V1 router running firmware version AC12G(EU)_V1_200909 fails to validate the HTTP Host header in requests, creating an opening for DNS rebinding attacks. When an attacker controls a domain, they can redirect that domain to the router's internal IP address. The router's existing CORS misconfiguration (which already allows requests from any origin) amplifies this weakness, permitting the attacker to extract sensitive information from the router's web interface as if the request came from a trusted source. This vulnerability requires user interaction—typically visiting a malicious website—but does not require authentication.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-350
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 does not validate the HTTP Host header, enabling DNS rebinding attacks. An external attacker can rebind a domain to the router's internal IP address, extending the CORS wildcard vulnerability (Access-Control-Allow-Origin: *) to internet-originated attacks.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from two converging flaws: (1) insufficient Host header validation on the router's HTTP interface, and (2) overly permissive CORS headers (Access-Control-Allow-Origin: *) that fail to enforce same-origin policy. An attacker registers or controls a domain and manipulates its DNS resolution to point to the router's internal IP (commonly 192.168.0.1 or similar). When a user visits the attacker's website, JavaScript code triggers requests to the controlled domain. The router accepts these requests because it does not validate the Host header against a whitelist of legitimate origins. The wildcard CORS header then permits the browser to return response data to the attacker's JavaScript context, bypassing confidentiality controls. The attack vector is network-based and requires no privileges, though it does depend on the user clicking a link or visiting a page (user interaction).
Business impact
An attacker can harvest sensitive configuration data from an affected router, including network settings, DHCP lease information, connected device details, Wi-Fi credentials, or other operational parameters exposed via the web interface. In small-office or home environments where this router model is deployed, compromise of Wi-Fi keys or network topology can lead to unauthorized network access, lateral movement, or further attacks on connected devices. For organizations using these routers in branch offices or edge deployments, the risk extends to enterprise network reconnaissance. The attack requires no special skills beyond DNS control and basic web scripting; widespread exploitation is feasible once exploitation details become public.
Affected systems
Mercusys AC12G (EU) router model V1 running firmware AC12G(EU)_V1_200909 is confirmed affected. Mercusys has not released updated firmware versions in the provided advisory data; verify the vendor's support page for patch availability. Other Mercusys models or firmware revisions may be similarly vulnerable if they share the same web interface code and CORS configuration. Users should verify their model and firmware version via the router's web interface (typically accessible at 192.168.0.1 or 192.168.1.1) or documentation.
Exploitability
Exploitation is straightforward and does not require advanced technical skills. The attacker needs only to control a DNS domain (purchased or compromised) and host a webpage with JavaScript code that makes cross-origin requests to the router's internal IP. The user interaction requirement—visiting the attacker's page—is the primary friction point, but social engineering, phishing, or redirects from legitimate compromised sites can deliver victims. Once a user visits, the attack executes silently in the background. There is no known public exploit code in the provided data, and this vulnerability has not been added to the CISA Known Exploited Vulnerabilities catalog, but the simplicity of the attack pattern suggests exploitation risk is moderate-to-high if details are disclosed.
Remediation
Mercusys should update the router firmware to validate the HTTP Host header against a whitelist of legitimate hostnames and remove or restrict the wildcard CORS header. Until a patch is available, network administrators can mitigate risk by disabling remote management of the router's web interface (if the router exposes it beyond the LAN) and educating users to avoid clicking untrusted links. Some routers allow disabling the web interface entirely in favor of a mobile app; this is not a reliable mitigation but reduces the attack surface. Firewall rules blocking internal IP ranges from external sources provide defense-in-depth but do not protect users who have already been redirected via DNS rebinding.
Patch guidance
Check the Mercusys product support page or contact vendor support to determine if a firmware update addressing Host header validation and CORS headers is available. Firmware updates are typically installed via the router's web interface (Administration > Firmware Update) or via a mobile app. Verify the exact firmware version running on your device before updating; download the correct version for your region (EU in this case) to avoid compatibility issues. After patching, reboot the router and confirm the new firmware version is reported in the web interface. No rollback is anticipated to be necessary; retain the old firmware version file for troubleshooting only.
Detection guidance
Network-based detection is difficult because DNS rebinding traffic uses standard HTTP and HTTPS protocols. On the router itself, monitor web interface logs (if available) for GET or POST requests with suspicious Host headers (e.g., Host headers that do not match the router's known IP addresses or hostnames) or Host headers pointing to external domains. Endpoint detection: monitor browser developer consoles or network traffic logs on client machines for failed cross-origin requests to internal IP ranges, particularly 192.168.0.0/16 or 10.0.0.0/8. DNS monitoring: log DNS queries for domains resolving to RFC 1918 private address ranges, which is anomalous and may indicate DNS rebinding. User education is essential: users should be suspicious of pages that attempt CORS requests to internal IPs or that trigger unusual network activity visible in browser developer tools.
Why prioritize this
Although this vulnerability carries a CVSS score of 6.5 (MEDIUM severity), it should be prioritized for patching in environments where Mercusys routers are deployed, particularly in remote or branch offices. The attack is easy to execute, does not require authentication, and results in information disclosure that can enable further attacks. The lack of KEV catalog inclusion suggests in-the-wild exploitation has not yet been reported, making now an ideal window to patch before public disclosure drives attackers to weaponize it. For organizations running these routers, treat this as a moderate-priority patch candidate; for consumer users, awareness and firmware update availability are the primary concerns.
Risk score, explained
The CVSS 3.1 score of 6.5 (MEDIUM) reflects attack vector Network (N), low attack complexity (L), no privilege requirement (N), user interaction required (R), unchanged scope (U), high confidentiality impact (H), no integrity or availability impact (N/N). The user interaction requirement prevents a higher score despite the ease of exploitation. However, the real-world risk is higher than CVSS suggests because DNS rebinding is a well-understood technique, the attack is network-adjacent (the user must visit a page, but that page can be an advertisement, redirect, or phishing email), and the disclosure of router configuration can cascade into lateral movement attacks on connected devices.
Frequently asked questions
I have a Mercusys AC12G (EU) router. How do I check if I'm running the vulnerable firmware?
Log in to your router's web interface (typically 192.168.0.1) and navigate to System Tools or About. The firmware version will be displayed; if it shows AC12G(EU)_V1_200909 or a similar version prior to a vendor patch, you are affected. Check the official Mercusys support website for your region to see if a newer firmware version is available.
Does this vulnerability allow an attacker to take control of my router?
No. This vulnerability allows information disclosure only; an attacker can read configuration data but cannot modify settings, change the Wi-Fi password, or disable the router. However, stolen Wi-Fi credentials or network topology information can be used for further attacks on your devices.
Can I be exploited if I don't visit any suspicious websites?
This vulnerability requires the user to visit a webpage controlled by the attacker (directly or via a redirect). If you do not click untrusted links and avoid suspicious websites, your exposure is lower. However, compromised legitimate websites or malicious advertisements can also deliver the attack, so caution is still warranted.
Will the vendor release a patch for this router model?
Mercusys is responsible for patching. The provided data does not confirm patch availability as of the publication date; contact Mercusys support or check your router's firmware update menu to see if an update is offered. Older router models sometimes receive limited support; if no patch is forthcoming, consider replacing the device or disabling the web interface and using alternative management methods.
This analysis is provided for informational purposes and reflects the vulnerability data as of the modification date 2026-06-17. No exploit code or weaponized proof-of-concepts are included. Patch availability and timelines are the responsibility of Mercusys and should be verified against the vendor's official security advisories and support channels. Organizations should conduct their own risk assessment based on their network inventory, user behavior, and controls. This information does not constitute legal or compliance advice. Test any patches in a non-production environment before deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2018-25387MEDIUMHaPe PKH 1.1 Cross-Site Request Forgery (CSRF) Admin Password Reset
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)
- CVE-2018-25397MEDIUMCSRF Vulnerability in PHP-SHOP 1.0 – Admin Account Injection
- CVE-2018-25421MEDIUMOpen STA Manager 2.3 Path Traversal File Download Vulnerability
- CVE-2018-25423MEDIUMBuffer Overflow Denial of Service in Arm Whois 3.11
- CVE-2018-25435MEDIUMZeusCart 4.0 CSRF Vulnerability – Account Deactivation Risk
- CVE-2019-25716MEDIUMDräger Patient Monitor Denial-of-Service Vulnerability