CVE-2026-36618: Mercusys AC12G DNS Version Disclosure Vulnerability
The Mercusys AC12G (EU) router with firmware version AC12G(EU)_V1_200909 has a configuration issue that allows anyone on the local network to discover which version of the DNS resolver software (unbound 1.22.0) is running on the device. An attacker can query the router for this information and use it to identify known vulnerabilities affecting that specific DNS software version, making targeted attacks easier. This is a local network exposure only—an attacker would need network access to the router or its subnet to exploit it.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-200
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 responds to version.bind CHAOS TXT queries, disclosing the DNS resolver software version (unbound 1.22.0), aiding targeted attacks against known vulnerabilities.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from the router's DNS resolver responding to version.bind CHAOS TXT queries, a standard DNS query type that software typically disables or restricts. By sending a DNS query for version.bind in the CHAOS class, an attacker can elicit a response revealing that unbound 1.22.0 is the underlying DNS resolver. This information disclosure falls under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The attack vector is adjacent network access with no authentication or user interaction required. The scope remains unchanged (local only), and the impact is limited to confidentiality—an attacker gains useful reconnaissance data but cannot directly modify the router or deny service through this method alone.
Business impact
For most organizations, this vulnerability presents minimal direct business risk because the router is a consumer-grade access point designed for small office or home use. However, if deployed in a small business or branch office as part of the network perimeter, the information leak could facilitate reconnaissance for follow-on attacks. An attacker who learns the DNS resolver version might then attempt to exploit known vulnerabilities in unbound 1.22.0, potentially compromising DNS resolution integrity or availability on that network segment. The real risk emerges in multi-stage attack scenarios where this disclosure is one of several reconnaissance steps.
Affected systems
Only the Mercusys AC12G (EU) model V1 running firmware AC12G(EU)_V1_200909 is confirmed affected. Mercusys is a sister brand of TP-Link, primarily distributed in European markets. Organizations using this specific router model should verify their firmware version. It is unclear from available data whether other Mercusys models, earlier or later firmware versions, or the non-EU AC12G variant exhibit the same behavior—those should be tested independently or checked against vendor advisories.
Exploitability
Exploitation requires an attacker to be on the same network segment or have routing access to the router's management network. The attack itself is trivial: a single DNS query using standard tools (dig, nslookup, or custom scripts) with the correct parameters will trigger the disclosure. No authentication is required, and the query is not resource-intensive. However, practical exploitability is limited because the attacker must first have network proximity to the device, which constrains the threat to insider threats, compromised devices on the same network, or attackers who have already gained initial access to the network. The CVSS score of 4.3 (MEDIUM) reflects this balance: low practical exploitability offset by ease of execution once access is achieved.
Remediation
Firmware updates are the primary remediation. Contact Mercusys support or check the product support page for AC12G (EU) V1 to obtain and apply the latest available firmware. Firmware updates typically include security patches that disable or restrict CHAOS TXT responses. As an interim mitigation, restrict DNS query types at the network perimeter firewall level to block CHAOS queries from untrusted sources, or isolate the router on a separate management network. Disable DNS features on the router if they are not required for the network's function.
Patch guidance
Check the Mercusys official support portal for firmware updates specifically for the AC12G (EU) V1 model. The affected version is AC12G(EU)_V1_200909; verify against the vendor advisory to confirm that newer firmware versions address version.bind query restrictions. Apply firmware updates through the router's web administration interface or via a firmware management tool provided by Mercusys, following their standard procedures to avoid interrupting service or bricking the device. Test in a non-production environment if possible. After patching, re-run DNS reconnaissance tests (dig version.bind @<router-ip> CH TXT) to confirm the information is no longer disclosed.
Detection guidance
Monitor DNS query logs for CHAOS TXT queries targeting version.bind or similar reconnaissance patterns. Use network monitoring tools (Zeek, Suricata, tcpdump) to flag DNS queries with the CHAOS class targeting sensitive queries on internal routers. Implement DNS query logging at the router level if available. Check for suspicious patterns of DNS reconnaissance from client IP addresses on the network. In security operations, this is a low-priority detection task unless correlated with other attack indicators (lateral movement, credential testing, etc.), but it can serve as an early warning of reconnaissance activity.
Why prioritize this
This vulnerability warrants attention but not top-tier priority for most organizations. It is a MEDIUM-severity information disclosure with limited scope (local network only) and moderate exploitability barriers (network proximity required). Prioritization should be higher if: (1) the organization uses this router model in a security-sensitive environment (branch office, DMZ gateway, etc.); (2) the network has a significant insider threat or a history of lateral movement incidents; or (3) the router is exposed to untrusted network segments. For typical business environments, this is a patch-on-cycle item rather than an emergency fix.
Risk score, explained
CVSS 3.1 score of 4.3 reflects a vulnerability with limited but real impact. The Adjacent Network (AV:A) vector acknowledges that an attacker needs to be on or near the network to exploit it. Attack Complexity Low (AC:L) and No Privileges Required (PR:N) show that the actual exploit is trivial once access is gained. Unchanged Scope (S:U) means the compromise is confined to the affected router. Low Confidentiality Impact (C:L) is appropriate because only version information is leaked, not sensitive user data or cryptographic material. No Integrity or Availability impact reflects that this is reconnaissance-only. The score sits at the midpoint of MEDIUM severity, indicating it is a real concern but not critical.
Frequently asked questions
Can an attacker exploit this vulnerability from the internet without being on the local network?
No. The CVSS vector AV:A (Adjacent Network) means the attacker must be on the same network segment or have a direct routing path to the router. This rules out remote exploitation from the public internet unless the router is directly exposed or the attacker has already compromised a device on the internal network.
What is unbound 1.22.0 and why does version disclosure matter?
Unbound is a widely-used open-source DNS resolver. By knowing the exact version, an attacker can look up known CVEs affecting unbound 1.22.0 and attempt to exploit them. This accelerates the attack lifecycle by eliminating guesswork about which vulnerabilities might work. Not all version disclosures are critical, but version.bind queries are a well-known reconnaissance technique.
Is this vulnerability currently being exploited in the wild?
The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, which suggests active exploitation in the wild has not been documented at the time of publication. However, the attack is straightforward enough that opportunistic attackers may leverage it as part of network reconnaissance. Do not assume absence from the KEV list means the vulnerability is not a risk to your environment.
What firmware version should I update to?
Verify the latest firmware version available for the AC12G (EU) V1 on the official Mercusys support page. The current affected version is AC12G(EU)_V1_200909. Apply any newer version that explicitly addresses DNS version disclosure or security hardening. Always back up your router configuration before updating firmware.
This analysis is provided for informational purposes and represents the current state of public information as of the modification date (2026-06-17). No exploit code or detailed weaponization steps are provided. Organizations should verify all patch versions, affected product lists, and remediation procedures against official vendor advisories before taking action. SEC.co makes no warranty regarding the completeness or accuracy of this information and recommends independent security assessment of any systems potentially affected by this vulnerability. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10254MEDIUMUnauthenticated Information Disclosure in SourceCodester Pet Grooming Software
- CVE-2026-10854MEDIUMMISP Galaxy Visibility Control Bypass – Unauthorized Private Metadata Access
- CVE-2026-10864MEDIUMMISP Dashboard Widget Field Filtering Bypass (Medium)
- CVE-2026-2128MEDIUMBreeze WordPress Plugin Cache Information Disclosure (v2.5.2 and earlier)
- CVE-2026-28511MEDIUMeLabFTW Information Disclosure – Title Exposure via Cross-Scope Search
- CVE-2026-36602MEDIUMMercusys AC12G Kernel Memory Disclosure via UPnP
- CVE-2026-36615MEDIUMMercusys AC12G (EU) Unauthenticated Information Disclosure via /agileconfigreset Endpoint
- CVE-2026-42358MEDIUMApache Airflow Secret Masking Bypass for Deeply Nested JSON Variables