HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-36608Published Modified CNA mitre

CVE-2026-36608: Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 allows UPnP AddPortMapping to forward external ports to the router's own admin interface by accepting its own IP (192

Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 allows UPnP AddPortMapping to forward external ports to the router's own admin interface by accepting its own IP (192.168.1.1) or localhost (127.0.0.1) as InternalClient. An unauthenticated LAN attacker can expose the admin panel to the internet with a single SOAP request.

Metrics

CVSS v3.1
8.8
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an access-control bypass in the Mercusys AC12G (EU) V1 router running firmware AC12G(EU)_V1_200909. The router's UPnP service accepts AddPortMapping SOAP requests that name the router's own IP address (192.168.1.1) or localhost (127.0.0.1) as the internal forwarding target, which it should reject. An unauthenticated attacker on the local network can send a single crafted SOAP request to permanently expose the router's admin interface to the public internet, enabling full device compromise. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-36608 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in registries and CI/CD pipelines, including custom-built base images that bundle router firmware or embedded Linux stacks.

Available
Triage

HarborGuard scores this finding at CVSS 8.8 HIGH using the published v3.1 vector and weights it against each environment's compliance policy to determine breach-of-threshold status; the resulting alert is routed to the inbox configured for the affected workload's owner within the customer org.

Available
Patch

No fix version has been published upstream for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Mercusys releases a corrected firmware or an upstream package fix appears; for customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

  • Network reachabilityDetail

    The attacker must be on the same local network segment (LAN, Wi-Fi, or adjacent VLAN) as the router; remote internet-based exploitation is not possible for the initial SOAP request, though success exposes the admin panel to the internet.

  • AuthenticationNot required

    No credentials are needed; the UPnP AddPortMapping endpoint accepts the malicious SOAP request from any unauthenticated LAN client.

  • Victim interactionNot required

    The attacker sends a single SOAP request directly to the router; no user on the target network needs to click anything or take any action.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; no race conditions, memory-layout knowledge, or special environmental factors are required beyond LAN access.

Blast Radius

  • The attacker exposes the router's admin interface to the entire public internet by creating a persistent port-forwarding rule, removing the LAN-only access boundary.
  • An internet-side attacker who reaches the newly exposed admin panel can read all router configuration including Wi-Fi credentials, VPN secrets, and connected-device tables.
  • An internet-side attacker can modify routing rules, DNS settings, and firewall policies, redirecting or intercepting all traffic passing through the router.
  • Full control of the router allows the attacker to disrupt connectivity for every device on the network by altering or disabling WAN or LAN configuration.

How HarborGuard Handles This

Available on HarborGuard: this CVE is monitored on every ingest cycle because no upstream fix exists yet. For environments running container images that embed Mercusys firmware components or adjacent embedded-Linux packages, HarborGuard flags the affected image layers and surfaces the finding in the compliance dashboard. As a compensating control, customers can use HarborGuard network-policy suggestions to isolate UPnP-facing workloads, restrict egress from management interfaces, and gate UPnP feature exposure via environment-level policy rules until Mercusys publishes a patch. The moment an upstream fix is available, a patched-image rebuild will become available on HarborGuard; for customers who opt into auto-remediation, the rebuild, regression test run, and a PR opened against affected workloads will follow automatically.

See how HarborGuard automates this
Affected packages
  • n/a / n/a
    n/a
CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References