CVE-2026-36603 Overview
CVE-2026-36603 affects the Mercusys AC12G (EU) V1 router running firmware AC12G(EU)_V1_200909. The device exposes 15 of 18 Universal Plug and Play (UPnP) Internet Gateway Device (IGD) actions on port 1900 without authentication. Exposed actions include AddPortMapping and GetExternalIPAddress. UPnP is enabled by default through the administrative interface. Any unauthenticated device on the LAN can create arbitrary port forwarding rules and read WAN traffic statistics. This is a Broken Access Control issue affecting the embedded UPnP service.
Critical Impact
Unauthenticated LAN attackers can forward arbitrary internal services to the public WAN interface and enumerate network state without credentials.
Affected Products
- Mercusys AC12G (EU) V1 router
- Firmware version AC12G(EU)_V1_200909
- UPnP IGD service listening on port 1900
Discovery Timeline
- 2026-06-03 - CVE-2026-36603 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-36603
Vulnerability Analysis
The Mercusys AC12G router ships with a UPnP IGD daemon bound to port 1900 on the LAN interface. The daemon implements 18 standard IGD SOAP actions, but 15 of them accept requests without any authentication check. Exposed actions include AddPortMapping, DeletePortMapping, GetExternalIPAddress, and GetGenericPortMappingEntry. UPnP is enabled by default in the router's web administration interface.
An unauthenticated host on the LAN can craft SOAP requests to the IGD control URL and instruct the router to create inbound port forwards from the WAN. This effectively bypasses the router's role as a perimeter and exposes internal services such as Remote Desktop Protocol (RDP), Server Message Block (SMB), or device management ports to the internet.
Root Cause
The UPnP IGD implementation does not validate the origin or authorization of incoming SOAP requests. The protocol specification permits this trust model, but the vendor compounds the issue by enabling UPnP by default and by exposing high-impact actions like AddPortMapping without further controls. This pattern aligns with Missing Authentication for Critical Function and Insecure Default Configuration weaknesses.
Attack Vector
An attacker on the LAN, including malware on a compromised endpoint or a guest device, sends a SOAP POST request to the router's UPnP control endpoint. The request specifies an external port, an internal IP, and an internal port. The router silently installs the firewall rule. The attacker then accesses the forwarded service directly from the internet. See the GitHub Security Advisory for the full list of exposed actions and proof-of-concept SOAP payloads.
Detection Methods for CVE-2026-36603
Indicators of Compromise
- Unexpected entries in the router's port forwarding table that were not created by an administrator
- SOAP requests to the UPnP control URL on port 1900 originating from non-administrative LAN hosts
- Inbound WAN connections to internal hosts on ports that should not be reachable from the internet
- Outbound discovery traffic from LAN endpoints sending M-SEARCH SSDP queries followed by SOAP POSTs
Detection Strategies
- Inspect the router's active port forwarding table on a recurring schedule and alert on rules not created through change management
- Capture LAN traffic to UDP/1900 and TCP control URLs, and flag AddPortMapping or DeletePortMapping SOAP actions
- Correlate new inbound WAN flows with recent UPnP activity on the LAN segment
Monitoring Recommendations
- Forward router syslog and connection tracking events to a central log platform for review
- Track WAN port exposure changes over time using external port scans of the router's public IP
- Alert on any host other than known network administration tools issuing UPnP SOAP requests
How to Mitigate CVE-2026-36603
Immediate Actions Required
- Disable UPnP in the Mercusys AC12G administrative interface under the advanced networking settings
- Audit the current port forwarding table and remove any rules not explicitly authorized
- Restrict device administration access to a trusted management VLAN where possible
- Segment untrusted devices, such as IoT and guest endpoints, onto an isolated network
Patch Information
No vendor patch is referenced in the advisory at the time of publication. Monitor the GitHub Security Advisory and Mercusys support channels for firmware updates beyond AC12G(EU)_V1_200909.
Workarounds
- Turn off UPnP entirely and manage any required port forwards manually through the authenticated web interface
- Block UDP/1900 and the UPnP control TCP port at the LAN switch using access control lists where supported
- Replace the device with hardware that enforces authentication on UPnP control actions if disabling UPnP is not operationally feasible
# Configuration example: verify UPnP is disabled and inspect forwarding rules
# Log in to the router web UI at the LAN gateway IP
# Navigate to: Advanced > NAT Forwarding > UPnP
# Set UPnP to: Disabled
# Then review: Advanced > NAT Forwarding > Port Forwarding
# Remove any entries not created by an administrator
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
