Description
Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 discloses kernel memory layout via the UPnP GetStatusInfo action. An unauthenticated attacker on the adjacent network can obtain a raw MIPS KSEG0 kernel pointer, revealing kernel memory layout and aiding further exploitation.
Published: 2026-06-03
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability permits an unauthenticated attacker on the same local network to invoke the UPnP GetStatusInfo action on a Mercusys AC12G (EU) V1 router. The router inadvertently returns a raw MIPS KSEG0 kernel pointer, exposing the kernel memory layout. This information disclosure can facilitate further exploitation by allowing an attacker to compute addresses of kernel objects or code sections, increasing the likelihood of successful privilege escalation or compromise.

Affected Systems

Affected devices include Mercusys AC12G (EU) V1 routers running firmware version AC12G(EU)_V1_200909. The flaw is specific to this firmware build and requires the device to expose its UPnP interface to the adjacent network.

Risk and Exploitability

Because the flaw is limited to local network access and requires no credentials, the attack vector is local. The EPSS score is less than 1%, and the vulnerability is not listed in CISA's KEV catalog. The CVSS score of 4.3 indicates a medium impact. The disclosure of a kernel pointer can accelerate subsequent attacks, implying a medium risk level pending vendor response.

Generated by OpenCVE AI on June 5, 2026 at 06:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable or block UPnP on the router to prevent external exposure of the GetStatusInfo action.
  • Segregate the device onto a separate VLAN or subnet that is not accessible from general local traffic.
  • Monitor the router’s network for unexpected UPnP queries and enforce logging or IDS rules to detect exploitation attempts.
  • Once a firmware update that fixes the memory disclosure becomes available, upgrade the router’s firmware.

Generated by OpenCVE AI on June 5, 2026 at 06:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Mercusys
Mercusys ac12g
Vendors & Products Mercusys
Mercusys ac12g

Fri, 05 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Title Kernel Memory Layout Disclosure via UPnP GetStatusInfo in Mercusys AC12G Router

Fri, 05 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Title Kernel Memory Layout Disclosure via UPnP GetStatusInfo in Mercusys AC12G Router
Weaknesses CWE-200

Wed, 03 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Description Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 discloses kernel memory layout via the UPnP GetStatusInfo action. An unauthenticated attacker on the adjacent network can obtain a raw MIPS KSEG0 kernel pointer, revealing kernel memory layout and aiding further exploitation.
References

Subscriptions

Mercusys Ac12g
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-05T02:03:28.563Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36602

cve-icon Vulnrichment

Updated: 2026-06-05T02:03:20.249Z

cve-icon NVD

Status : Deferred

Published: 2026-06-03T18:16:21.150

Modified: 2026-06-05T02:17:13.240

Link: CVE-2026-36602

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T10:12:38Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor