CVE-2026-36608: Mercusys AC12G UPnP Port Forwarding Admin Exposure Vulnerability
A vulnerability in Mercusys AC12G (EU) V1 routers running firmware version AC12G(EU)_V1_200909 allows anyone connected to the local network to use UPnP port forwarding to redirect traffic destined for the internet directly to the router's admin interface. The vulnerability exists because the router's UPnP implementation doesn't properly validate the destination address when setting up port mappings—it accepts requests to forward ports to the router's own IP address (192.168.1.1) or localhost (127.0.0.1), which should never be allowed. An attacker on the LAN can exploit this with a single SOAP request to expose the administrative panel to the public internet without authentication, bypassing all network boundary protections.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-441
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 allows UPnP AddPortMapping to forward external ports to the router's own admin interface by accepting its own IP (192.168.1.1) or localhost (127.0.0.1) as InternalClient. An unauthenticated LAN attacker can expose the admin panel to the internet with a single SOAP request.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from improper input validation in the UPnP AddPortMapping implementation (CWE-441: Uncontrolled Modification of Critical Data Through Privileged Code). The UPnP device description service accepts port mapping requests specifying the router's own management interface as the InternalClient parameter—accepting both 192.168.1.1 and 127.0.0.1. This allows an unauthenticated local attacker to craft a SOAP AddPortMapping request that configures external port forwarding to the admin interface, effectively creating a tunnel from WAN to the management console. The affected firmware version (AC12G(EU)_V1_200909) does not restrict forwarding destinations to legitimate internal hosts, creating a critical trust boundary violation. No user interaction is required; the single SOAP request is sufficient to establish the misconfiguration.
Business impact
Compromise of router admin credentials or session tokens grants attackers complete control over network traffic routing, DNS settings, wireless configuration, and potentially device firmware. An exposed admin panel accessible from the internet dramatically increases the attack surface, enabling credential brute-forcing, session hijacking, or exploitation of additional admin interface vulnerabilities. Organizations or homes using this router could face network-wide data interception, DNS poisoning, malware injection into downstream systems, or complete network takeover. For small businesses or home offices relying on this budget router, the impact extends to all connected devices and any business operations conducted over that network.
Affected systems
Mercusys AC12G (EU) V1 routers running firmware AC12G(EU)_V1_200909 are confirmed vulnerable. Mercusys is a TP-Link sub-brand focused on budget networking equipment, primarily distributed in European markets. The specific model and firmware version affected appear narrowly scoped based on available information; however, verify against Mercusys security advisories whether earlier firmware versions or regional variants (non-EU models) share the same UPnP implementation flaw. Organizations should check inventory against this exact model and firmware combination and contact Mercusys support for patch availability and broader product line guidance.
Exploitability
Exploitation requires only local network access and no authentication. The attack is trivial to execute—a single HTTP POST request containing a crafted SOAP envelope to the UPnP device control service is sufficient. No special privileges, user interaction, or complex exploitation technique is needed. Any device on the LAN (including IoT devices, guest computers, or compromised endpoints) can launch the attack. The low complexity and lack of authentication requirements make this highly exploitable in practice, though the attack is constrained to the local network segment (not remotely exploitable from the internet without first gaining LAN access). This remains a critical risk for environments where physical network access or wireless access is not strictly controlled.
Remediation
Immediately check your network inventory for Mercusys AC12G (EU) V1 routers running firmware AC12G(EU)_V1_200909. Contact Mercusys technical support or check their security advisory page to obtain a patched firmware version. Firmware updates typically address this by adding validation to reject any AddPortMapping request where the InternalClient parameter is the router's own IP or loopback address. Until a patch is available and deployed, implement compensating controls: disable UPnP on the router if not required for legitimate devices (many modern networks do not rely on UPnP auto-discovery), restrict wireless network access with strong WPA3 encryption and a unique passphrase, segment the router management console to a dedicated administrative VLAN if the network topology permits, and monitor for suspicious port forwarding configurations via the admin console or via network traffic analysis for unexpected SOAP requests.
Patch guidance
Verify the availability of a firmware update from Mercusys that addresses CVE-2026-36608. Visit the Mercusys official support site or product page for AC12G (EU) V1, download the latest firmware, and follow the provided upgrade procedure (typically via the web admin console or recovery tool). Document the current firmware version before upgrading and maintain a backup of router settings. After upgrade, verify that the firmware version is no longer AC12G(EU)_V1_200909 and confirm that UPnP port mapping now rejects attempts to forward to 192.168.1.1 or 127.0.0.1 (testing can be performed with a UPnP client or network scanner). Roll out patches to all affected devices in your organization in priority order, prioritizing those on internet-facing or guest networks first.
Detection guidance
Monitor for exploitation attempts by logging UPnP AddPortMapping requests to the router's own IP address. If the router admin console permits UPnP request logging, enable it and alert on any requests specifying InternalClient as 192.168.1.1 or 127.0.0.1. Network-level detection can monitor for SOAP requests to UDP port 1900 (SSDP) or TCP port 49152+ (typical UPnP device control ports) containing AddPortMapping actions with suspicious destination IPs. After patching, verify no active port mappings point to the router's own IP by accessing the admin console and reviewing the port forwarding rules table. Log and track the firmware version of all routers in your network; outdated versions should trigger remediation workflows. Review external port exposure through periodic network scans or services like Shodan to identify any unexpected open admin interface ports.
Why prioritize this
This vulnerability warrants immediate remediation due to the combination of high CVSS severity (8.8), unauthenticated access, lack of user interaction, and high integrity and confidentiality impact. While the attack is constrained to the LAN, the ability for any local attacker to expose the router's admin interface to the internet creates a critical security bypass. Unlike remote code execution vulnerabilities that require initial access, this flaw directly enables unauthorized administrative access, making it a gateway for further network compromise. Organizations should treat this as a Tier 1 security incident for affected inventory.
Risk score, explained
The CVSS 3.1 score of 8.8 (HIGH) reflects an attack vector limited to the local network (AV:A), low attack complexity (AC:L), no privilege or user interaction requirements (PR:N/UI:N), and high impact across confidentiality, integrity, and availability (C:H/I:H/A:H). The score appropriately penalizes the local network requirement but awards maximum severity for the breadth of access granted—complete administrative control over the router and, by extension, the network it serves. The lack of exploit availability in public databases currently limits practical risk, but the simplicity of exploitation and the critical nature of the compromised asset (network perimeter device) justify the HIGH severity rating.
Frequently asked questions
Can this vulnerability be exploited remotely from the internet?
No. The vulnerability requires network access to the LAN where the router resides. An attacker must be connected to the same local network (either physically or via compromised wireless credentials) to send the UPnP request. However, once exploited, the attacker can expose the admin interface to the internet, creating a secondary pathway for remote compromise.
Does UPnP need to be enabled for this vulnerability to be exploitable?
Yes. UPnP is a network service that must be enabled on the router for the AddPortMapping request to be processed. If UPnP is disabled in the router's admin settings, the vulnerability cannot be exploited. Many users leave UPnP enabled by default for device auto-discovery convenience, making this a practical risk.
Are other Mercusys or TP-Link router models affected?
Based on the provided information, only the Mercusys AC12G (EU) V1 running firmware AC12G(EU)_V1_200909 is confirmed vulnerable. However, other budget routers from Mercusys or TP-Link may share similar UPnP implementations. Check your inventory against this specific model and firmware version, and contact the vendor for guidance on whether other products are affected by the same flaw.
What should I do if I cannot obtain a patch immediately?
Disable UPnP in the router admin console if it is not actively used by your network devices. Restrict access to the router's wireless network with strong encryption and a unique passphrase to minimize the number of potential attackers on the LAN. Monitor the router's port forwarding configuration regularly to detect any unauthorized rules. If the router is essential and a patch is not available, consider replacing it with a model from a vendor with a stronger security posture and active patch support.
This analysis is based on publicly disclosed information current as of the publication date. CVSS scores, CWE classifications, and affected product information are derived from authoritative vulnerability databases. Patch availability and specific remediation steps should be verified directly with Mercusys technical support or official security advisories. SEC.co does not provide warranty regarding the completeness or applicability of this guidance to your specific environment. Organizations should conduct their own risk assessment and testing before deploying any patches or configuration changes. Exploit code or proof-of-concept details are not included in this advisory; security researchers are encouraged to report any undisclosed variants responsibly to the affected vendor. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-48570HIGHAndroid PipTaskOrganizer Privilege Escalation Vulnerability
- CVE-2026-0098HIGHAndroid Confused Deputy Privilege Escalation – Activity Start Bypass
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25383HIGHFree MP3 CD Ripper 2.8 Stack Overflow – ROP and DEP Bypass Risk
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25388HIGHHaPe PKH 1.1 Arbitrary File Upload Vulnerability (CVSS 8.8)
- CVE-2018-25389HIGHSQL Injection in HaPe PKH 1.1 Database Extraction