Description
Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 allows UPnP AddPortMapping to forward external ports to the router's own admin interface by accepting its own IP (192.168.1.1) or localhost (127.0.0.1) as InternalClient. An unauthenticated LAN attacker can expose the admin panel to the internet with a single SOAP request.
Published: 2026-06-03
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Mercusys AC12G (EU) V1 router performs an unsafe validation in its UPnP AddPortMapping service, accepting the router’s own local IP address (192.168.1.1) and the loopback address (127.0.0.1) as an internal client. When an unauthenticated LAN attacker submits a single SOAP request, any external port can be mapped to the router’s administrative interface, effectively exposing the privileged web interface to the internet. This flaw allows an attacker to reach the router’s admin panel from outside the local network, potentially obtaining configuration data, modifying settings, or executing commands with full administrative privileges.

Affected Systems

Mercusys AC12G (EU) V1 router, firmware AC12G(EU)_V1_200909. No other manufacturer or model numbers were listed in the advisory.

Risk and Exploitability

The vulnerability does not list an EPSS score or KEV status, indicating that data on real-world exploitation is currently unavailable. The CVSS score of 8.8 indicates high severity. However, the attack path requires an active LAN presence and an unauthenticated SOAP request to the UPnP service, which are common in many small home and small office networks. Once the port mapping is created, the attacker can access the router’s admin panel from the wider internet, a high‑impact consequence that can lead to full device compromise. Given the ease of exploitation and the severe potential impact, the risk is considered moderate to high.

Generated by OpenCVE AI on June 3, 2026 at 20:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install a firmware version that fixes the UPnP validation logic.
  • If no patch is available, disable the UPnP service entirely.
  • Block external access to the router’s management ports using the firewall or ACL settings.
  • Monitor the network for abnormal UPnP traffic.

Generated by OpenCVE AI on June 3, 2026 at 20:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Title Unauthenticated WAN Exposure of Router Admin Interface via UPnP AddPortMapping
Weaknesses CWE-20

Wed, 03 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Title Unauthenticated WAN Exposure of Router Admin Interface via UPnP AddPortMapping
Weaknesses CWE-20
CWE-441
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Description Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 allows UPnP AddPortMapping to forward external ports to the router's own admin interface by accepting its own IP (192.168.1.1) or localhost (127.0.0.1) as InternalClient. An unauthenticated LAN attacker can expose the admin panel to the internet with a single SOAP request.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-03T18:34:27.788Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36608

cve-icon Vulnrichment

Updated: 2026-06-03T18:34:18.015Z

cve-icon NVD

Status : Received

Published: 2026-06-03T18:16:21.923

Modified: 2026-06-03T19:16:32.983

Link: CVE-2026-36608

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T21:00:06Z

Weaknesses