Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-36604

CVE-2026-36604: Mercusys AC12G DNS Rebinding Vulnerability

CVE-2026-36604 is a DNS rebinding flaw in Mercusys AC12G (EU) V1 router that enables attackers to bypass network boundaries and exploit CORS misconfigurations. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-36604 Overview

CVE-2026-36604 affects the Mercusys AC12G (EU) V1 router running firmware AC12G(EU)_V1_200909. The device fails to validate the HTTP Host header on its web management interface. This omission enables DNS rebinding attacks against the router's local administrative interface. An external attacker can resolve an attacker-controlled domain to the router's internal IP address. The flaw extends an existing CORS wildcard issue (Access-Control-Allow-Origin: *) to internet-originated attacks, allowing remote reads of authenticated router data when a victim visits a malicious page. The weakness is categorized as [CWE-350] Reliance on Reverse DNS Resolution for a Security-Critical Action.

Critical Impact

A remote attacker can exfiltrate sensitive router configuration data after a user visits a malicious web page, bypassing same-origin protections through DNS rebinding combined with the device's permissive CORS policy.

Affected Products

  • Mercusys AC12G (EU) V1 router
  • Firmware version AC12G(EU)_V1_200909
  • Web management HTTP interface

Discovery Timeline

  • 2026-06-03 - CVE-2026-36604 published to NVD
  • 2026-06-03 - Last updated in NVD database

Technical Details for CVE-2026-36604

Vulnerability Analysis

The Mercusys AC12G web server accepts HTTP requests regardless of the value supplied in the Host header. Browsers enforce the same-origin policy based on the hostname a user navigates to, not the destination IP address. When a router accepts any Host value, an attacker can register a domain whose DNS record initially resolves to an attacker-controlled server, then re-resolves to the router's RFC1918 address such as 192.168.1.1.

The second resolution causes the victim's browser to send subsequent requests to the router while treating them as same-origin with the attacker's domain. Because the router additionally returns Access-Control-Allow-Origin: *, cross-origin script reads of authenticated responses succeed. The attacker can enumerate Wi-Fi credentials, connected clients, and configuration data exposed through the management API.

Root Cause

The firmware does not enforce an allowlist of expected Host header values such as the router's LAN IP address or a fixed local hostname. The web server treats DNS resolution as a trust boundary, which violates [CWE-350]. The condition is compounded by the permissive CORS configuration in the same management interface.

Attack Vector

Exploitation requires user interaction. A victim on the router's LAN must visit a malicious page that triggers DNS rebinding. The attacker's DNS server returns a short TTL record pointing first to the attacker's host, then rebinds to the router's internal IP. JavaScript on the malicious page then issues XHR or fetch requests to the rebound hostname. The router responds, and the attacker reads the response cross-origin due to the wildcard ACAO header. Refer to the GitHub Advisory for CVE-2026-36604 for technical details.

Detection Methods for CVE-2026-36604

Indicators of Compromise

  • HTTP requests to the router with Host headers containing external or unexpected domain names rather than the LAN IP
  • DNS responses observed on the network with unusually short TTL values resolving to RFC1918 addresses
  • Outbound DNS queries from client browsers to domains that subsequently resolve to the router's internal IP

Detection Strategies

  • Inspect router web server access logs for requests where the Host header does not match the device's LAN address
  • Monitor recursive DNS resolver logs for low-TTL records that flip between public and private IP space
  • Correlate browser network telemetry with DNS resolution events to identify rebinding patterns

Monitoring Recommendations

  • Deploy DNS filtering that blocks resolution of public domains to RFC1918 addresses, a technique known as DNS rebinding protection
  • Capture and review HTTP Host header values at network egress and ingress points
  • Alert on JavaScript-initiated requests from external origins targeting LAN gateway addresses

How to Mitigate CVE-2026-36604

Immediate Actions Required

  • Check the Mercusys support portal for firmware newer than AC12G(EU)_V1_200909 and apply it once available
  • Disable remote and local web administration when not actively in use
  • Configure the upstream or local DNS resolver to reject answers that map external domains to private IP ranges

Patch Information

No vendor patch is referenced in the NVD entry or the published advisory at the time of writing. Consult the GitHub Advisory for CVE-2026-36604 and the Mercusys product support page for firmware updates.

Workarounds

  • Enable DNS rebinding protection on an upstream resolver such as dnsmasq, Unbound, or Pi-hole to drop private-address responses for public domains
  • Restrict access to the router's management interface to specific trusted LAN hosts where the device supports ACLs
  • Instruct users to avoid browsing untrusted sites from networks where the affected router operates as the gateway
bash
# Example: dnsmasq option to reject public domains resolving to private IPs
stop-dns-rebind
rebind-localhost-ok

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne