HIGH 7.3

CVE-2026-36611: Mercusys AC12G Memory Disclosure Vulnerability

A Mercusys AC12G (EU) V1 router with firmware version AC12G(EU)_V1_200909 has a vulnerability that exposes uninitialized memory to attackers on the same network. When the router receives certain requests on its UPnP port without proper headers, it returns 128 bytes of raw memory content that should have been inaccessible. An attacker with network access can exploit this to leak sensitive internal data without needing credentials.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-200
Affected products
0 configuration(s)
Published / Modified
2026-06-03 / 2026-06-17

NVD description (verbatim)

Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 returns 128 bytes of uninitialized buffer when receiving POST requests without SOAPAction header on UPnP port 1900, exposing internal memory to unauthenticated adjacent network attackers.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-36611 is an information disclosure vulnerability affecting Mercusys AC12G (EU) V1 routers. The device's UPnP service on port 1900 fails to properly handle POST requests missing the SOAPAction header, triggering a code path that returns uninitialized buffer contents (128 bytes) to the requestor. This violates CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) by allowing unauthenticated, adjacent-network attackers to read memory that may contain session tokens, configuration data, or other sensitive state. The vulnerability requires no user interaction and presents a straightforward network-level attack vector.

Business impact

Organizations and individuals using affected Mercusys AC12G routers face potential compromise of sensitive router configuration, network credentials, or other adjacent-device secrets. While the vulnerability alone does not provide remote code execution, the memory disclosure could leak information that facilitates secondary attacks—such as WPA/WPA2 passphrases or access tokens—putting all devices on the network at risk. For managed service providers or corporate networks using these routers, this represents a foothold for lateral movement or network reconnaissance.

Affected systems

Mercusys AC12G (EU) V1 routers running firmware version AC12G(EU)_V1_200909 are confirmed affected. The vulnerability is specific to this EU variant and firmware revision; operators should verify whether their deployment uses this exact model and firmware version. Regional variants and other Mercusys models may or may not be affected; check the vendor advisory for clarification on scope.

Exploitability

This vulnerability is readily exploitable from the local network segment. An attacker needs only network adjacency (same LAN or wireless network) and the ability to send a crafted POST request to port 1900 without a SOAPAction header—a trivial task requiring basic HTTP tools. No authentication, user interaction, or special privileges are required. The attack is deterministic and repeatable, making it a practical concern for anyone sharing a network with an affected router.

Remediation

Upgrade the router firmware to a patched version released by Mercusys. Users should verify the latest available firmware for the AC12G (EU) V1 against the manufacturer's support page and apply it. If no firmware patch is available, consider temporarily disabling UPnP if it is not required, or isolating the router on a restricted network segment. Check the vendor advisory for specific patch version numbers and deployment guidance.

Patch guidance

Contact Mercusys support or visit their firmware download portal to obtain the latest firmware for the AC12G (EU) V1 EU model. Verify the firmware version number against the advisory to confirm it addresses CVE-2026-36611. Apply firmware updates through the router's web interface or management tool, following the manufacturer's instructions to avoid corrupting the device. After patching, reboot the router and confirm the new firmware version in the device status page.

Detection guidance

Monitor UPnP traffic on port 1900 for POST requests without SOAPAction headers originating from untrusted local network hosts. Inspect router logs (if available) for unusual UPnP queries. Perform network segmentation to limit which devices can reach the router's UPnP port. Use IDS/IPS rules to detect or block malformed UPnP requests. If available, enable enhanced logging on affected routers to audit UPnP service activity.

Why prioritize this

Although the CVSS score of 7.3 reflects 'HIGH' severity, the vulnerability's impact on your organization depends on your network topology and the presence of untrusted adjacent devices. Prioritize patching if: (1) you operate affected Mercusys AC12G (EU) V1 hardware; (2) your network permits guest or guest-adjacent access to the LAN; (3) sensitive data resides on the network behind the router. For isolated corporate networks with controlled access, prioritization can be slightly lower, but the exploit barrier remains very low—patch as soon as feasible.

Risk score, explained

CVSS 3.1 score of 7.3 (HIGH) reflects the combination of network-level accessibility (AV:N), low attack complexity (AC:L), no authentication required (PR:N), no user interaction (UI:N), and impact across confidentiality, integrity, and availability dimensions. The score does not account for the requirement of adjacent network access; the 'N' in AV indicates network-reachable from the LAN. The vulnerability is straightforward to exploit and information disclosure could enable privilege escalation or credential theft on the wider network.

Frequently asked questions

Can this vulnerability be exploited from the internet?

No. The vulnerability requires adjacent network access—the attacker must be on the same LAN or wireless network as the affected router. Internet-facing attacks are not possible due to the network-layer restriction.

What information could leak from the uninitialized buffer?

The 128-byte memory region could contain session tokens, cached credentials, configuration parameters, or other router state. The exact content depends on runtime memory layout and prior operations. An attacker may need to issue multiple requests to extract meaningful data.

Is this vulnerability being actively exploited?

As of the published date, this CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. However, the low barrier to exploitation and straightforward attack method mean patching should not be delayed pending exploitation reports.

Does disabling UPnP prevent exploitation?

Yes. If UPnP is not required for your network, disabling it via the router's administration interface eliminates this attack surface. However, patching remains the recommended long-term solution.

This analysis is based on the vulnerability disclosure published on 2026-06-03 and modified on 2026-06-17. Patch versions, exact affected product ranges, and vendor guidance should be verified against the official Mercusys advisory and SEC.co's structured vulnerability data. SEC.co makes no warranty regarding the completeness or accuracy of third-party vendor information. Organizations are responsible for assessing their own exposure and applying patches according to their risk management policies. This document does not constitute security advice and is provided for informational purposes only. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).