How is CVE-2026-36603 exploited?

Network reachability (info): The attacker must be on the same local network, LAN segment, or VPN as the target router; remote exploitation over the public internet is not directly possible via this vector (AV:A). Authentication (not-required): No credentials of any kind are needed; the vulnerable UPnP IGD actions are exposed without any authentication check (PR:N). Victim interaction (not-required): The attacker does not need any user on the target network to take any action; exploitation is fully attacker-driven (UI:N). Attack complexity (info): Exploitation is reliable and condition-free; no race conditions, special memory layout, or environmental prerequisites are required (AC:L).

What is the impact of CVE-2026-36603?

An attacker reads the router's external (WAN) IP address and traffic statistics via GetExternalIPAddress and related actions, exposing network topology details. An attacker creates arbitrary port forwarding rules via AddPortMapping, redirecting external internet traffic to any internal host and port without authorization. Internal services that were never intended to be internet-facing, such as administrative interfaces or unpatched LAN services, become reachable from the public internet through attacker-defined forwarding rules. Persistent forwarding rules survive reboots if written to the router's configuration, meaning the exposure continues after the attacker's LAN session ends.

Back to search

HIGHCVE-2026-36603Published 2026-06-03Modified 2026-06-05CNA mitre

CVE-2026-36603: Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 exposes 15 of 18 UPnP IGD actions without authentication on port 1900, including AddPortMapping and GetExternalIPAddress

Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 exposes 15 of 18 UPnP IGD actions without authentication on port 1900, including AddPortMapping and GetExternalIPAddress. UPnP is enabled by default through the admin interface, allowing any unauthenticated LAN device to create arbitrary port forwarding rules and access WAN traffic statistics.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An authentication-bypass vulnerability in the Mercusys AC12G (EU) V1 router (firmware AC12G(EU)_V1_200909) exposes 15 of 18 UPnP IGD actions on port 1900 without requiring any credentials, including AddPortMapping and GetExternalIPAddress. Any unauthenticated device on the local network can reach these actions because UPnP is enabled by default through the admin interface. Successful exploitation lets an attacker create arbitrary port forwarding rules and read WAN traffic statistics, opening internal services to the internet without authorization. No upstream fix has been published; HarborGuard tracks this advisory for patch availability.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-36603 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication from upstream advisory feeds, including custom-built images that bundle or reference affected firmware versions. Any image layer referencing Mercusys AC12G firmware AC12G(EU)_V1_200909 is flagged automatically as part of continuous pipeline scanning.

Available

Triage

HarborGuard is capable of scoring this CVE at 8.1 HIGH using the published CVSS v3.1 vector and weighting the finding against each customer organization's compliance policy to determine urgency. Triage results are routed to the appropriate team inbox within the customer organization based on policy configuration.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available the moment a remediated firmware or package version is released. In the meantime, customers can apply compensating controls through HarborGuard's policy engine to flag or block deployment of images containing this firmware version.

Pending upstream

Exploit Conditions

Network reachabilityDetail
The attacker must be on the same local network, LAN segment, or VPN as the target router; remote exploitation over the public internet is not directly possible via this vector (AV:A).
AuthenticationNot required
No credentials of any kind are needed; the vulnerable UPnP IGD actions are exposed without any authentication check (PR:N).
Victim interactionNot required
The attacker does not need any user on the target network to take any action; exploitation is fully attacker-driven (UI:N).
Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions, special memory layout, or environmental prerequisites are required (AC:L).

Blast Radius

An attacker reads the router's external (WAN) IP address and traffic statistics via GetExternalIPAddress and related actions, exposing network topology details.
An attacker creates arbitrary port forwarding rules via AddPortMapping, redirecting external internet traffic to any internal host and port without authorization.
Internal services that were never intended to be internet-facing, such as administrative interfaces or unpatched LAN services, become reachable from the public internet through attacker-defined forwarding rules.
Persistent forwarding rules survive reboots if written to the router's configuration, meaning the exposure continues after the attacker's LAN session ends.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-36603, HarborGuard continuously monitors the advisory on every ingest cycle and will surface a patched-image rebuild the moment Mercusys publishes a remediated firmware version. Until then, customers are encouraged to use HarborGuard's policy engine to block or flag deployment of images referencing firmware version AC12G(EU)_V1_200909, and to apply network-policy isolation that restricts which LAN segments can reach UPnP port 1900 on affected devices. Where egress filtering is configurable, restricting outbound UPnP SSDP traffic from untrusted LAN zones reduces the attack surface. HarborGuard will automatically trigger the rebuild-and-PR flow for customers with auto-remediation enabled as soon as a fix version is confirmed upstream.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

github.com

Metrics

Get notified