Description
Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 exposes 15 of 18 UPnP IGD actions without authentication on port 1900, including AddPortMapping and GetExternalIPAddress. UPnP is enabled by default through the admin interface, allowing any unauthenticated LAN device to create arbitrary port forwarding rules and access WAN traffic statistics.
Published: 2026-06-03
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability exposes 15 of 18 UPnP IGD actions on the Mercusys AC12G router without authentication. An unauthenticated device on the local network can issue AddPortMapping or GetExternalIPAddress requests, allowing the creation of arbitrary port forwarding rules and access to WAN traffic information. The lack of a login or authorization check for these actions makes the router’s network configuration easily manipulable by any LAN host.

Affected Systems

Mercusys AC12G U‑PnP enabled routers running firmware AC12G(EU)_V1_200909 are affected. The router’s default configuration enables UPnP, so the issue exists out of the box.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity. The EPSS score is 0.00022, indicating a very low but nonzero exploitation probability, and the vulnerability is not listed in the CISA KEV catalog, so no official exploitation statistics exist. However, the attack requires only a presence on the local network; any device can send UPnP requests to port 1900. Because no authentication is enforced, exploitation is straightforward for a local attacker and the potential impact includes unauthorized port exposure and visibility into WAN traffic.

Generated by OpenCVE AI on June 5, 2026 at 07:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update released by Mercusys that removes unauthenticated UPnP actions
  • Disable UPnP from the router’s admin interface if an update is not yet available
  • Restrict LAN devices from sending UPnP traffic on port 1900 using firewall rules or VLAN isolation

Generated by OpenCVE AI on June 5, 2026 at 07:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Mercusys
Mercusys ac12g
Vendors & Products Mercusys
Mercusys ac12g

Fri, 05 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated Access to UPnP Port Forwarding on Mercusys AC12G Router

Fri, 05 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
Title Unauthenticated Port Mapping via UPnP on Mercusys AC12G Router
Weaknesses CWE-284

Fri, 05 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated Port Mapping via UPnP on Mercusys AC12G Router
Weaknesses CWE-284
CWE-306

Wed, 03 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Description Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 exposes 15 of 18 UPnP IGD actions without authentication on port 1900, including AddPortMapping and GetExternalIPAddress. UPnP is enabled by default through the admin interface, allowing any unauthenticated LAN device to create arbitrary port forwarding rules and access WAN traffic statistics.
References

Subscriptions

Mercusys Ac12g
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-05T02:04:20.267Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36603

cve-icon Vulnrichment

Updated: 2026-06-05T02:04:16.530Z

cve-icon NVD

Status : Deferred

Published: 2026-06-03T18:16:21.290

Modified: 2026-06-05T02:17:13.433

Link: CVE-2026-36603

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T10:12:36Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function