CVE-2026-36608 Overview
CVE-2026-36608 affects the Mercusys AC12G (EU) V1 router running firmware AC12G(EU)_V1_200909. The router's Universal Plug and Play (UPnP) service accepts AddPortMapping SOAP requests that target the router's own LAN IP (192.168.1.1) or loopback address (127.0.0.1) as the InternalClient. An unauthenticated attacker on the local network can forward an external WAN port to the router's administrative web interface using a single SOAP request. The flaw maps to CWE-441: Unintended Proxy or Intermediary.
Critical Impact
A LAN-adjacent attacker can publish the router admin panel to the public internet without authentication, enabling remote credential attacks against the management interface.
Affected Products
- Mercusys AC12G (EU) V1 router
- Firmware version AC12G(EU)_V1_200909
- UPnP IGD service on the affected device
Discovery Timeline
- 2026-06-03 - CVE-2026-36608 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-36608
Vulnerability Analysis
The Mercusys AC12G exposes a UPnP Internet Gateway Device (IGD) service on the LAN. UPnP AddPortMapping is designed to let LAN hosts request that the router forward an external WAN port to an internal client. The specification expects the InternalClient field to reference a host other than the gateway itself.
The AC12G firmware fails to validate this field. It accepts the router's own LAN address 192.168.1.1 and the loopback address 127.0.0.1 as valid forwarding targets. When an attacker submits such a mapping, the router forwards a chosen external WAN port to its own administrative web interface.
The result is that the management console becomes reachable from the public internet over the attacker-selected WAN port. Once exposed, the admin panel is subject to credential brute force, default credential abuse, and any authenticated post-login vulnerabilities present in the firmware.
Root Cause
The root cause is missing destination validation in the UPnP IGD service. The router does not reject InternalClient values that resolve to the gateway itself or to loopback. This violates the UPnP IGD security guidance that prohibits port mappings targeting the gateway.
Attack Vector
The attacker must be on the LAN, including a guest Wi-Fi segment if UPnP traffic is reachable. The attacker sends a single SOAP AddPortMapping request to the UPnP control URL of the router. The request specifies an external WAN port, TCP protocol, and InternalClient=192.168.1.1 or 127.0.0.1 with the admin HTTP port as InternalPort. After the mapping is created, the router's admin interface becomes reachable from any internet host that connects to the WAN IP on the chosen external port. No authentication is required to issue the UPnP request. Refer to the GitHub advisory for CVE-2026-36608 for protocol-level request details.
Detection Methods for CVE-2026-36608
Indicators of Compromise
- Unexpected UPnP port mapping entries in the router admin UI where InternalClient is 192.168.1.1 or 127.0.0.1.
- Inbound WAN connections to non-standard ports that terminate at the router's HTTP admin service.
- SOAP AddPortMapping requests directed to the router's UPnP control endpoint from untrusted LAN clients.
Detection Strategies
- Inspect the active UPnP port-forwarding table on the router and flag any entry whose internal target is the gateway IP or loopback.
- Capture LAN traffic to the UPnP service and alert on SOAP bodies containing <NewInternalClient>192.168.1.1</NewInternalClient> or 127.0.0.1.
- Scan the WAN IP from an external vantage point for HTTP responses matching the Mercusys admin login page on non-standard ports.
Monitoring Recommendations
- Enable logging on upstream network devices for new inbound flows to the WAN IP and correlate with router port-mapping changes.
- Periodically enumerate UPnP mappings via upnpc -l from a trusted LAN host and diff against an approved baseline.
- Monitor for authentication attempts against the router admin interface originating from WAN source addresses.
How to Mitigate CVE-2026-36608
Immediate Actions Required
- Disable UPnP on the Mercusys AC12G until a vendor firmware update is available.
- Audit and remove existing port-forwarding rules whose internal target is 192.168.1.1 or 127.0.0.1.
- Change the router administrator password and ensure remote management is disabled on the WAN interface.
- Segment IoT and guest devices onto networks that cannot reach the router's UPnP control URL.
Patch Information
No vendor patch is referenced in the NVD record at the time of publication. Monitor the GitHub advisory for CVE-2026-36608 and Mercusys support channels for firmware updates that add validation of the UPnP InternalClient field.
Workarounds
- Turn off the UPnP service in the router web UI to eliminate the AddPortMapping attack surface.
- Block inbound traffic to the WAN IP on all ports except those explicitly required, using an upstream firewall where available.
- Restrict LAN access to the UPnP control endpoint via VLAN segmentation so only trusted hosts can issue SOAP requests.
# Verify and remove suspicious UPnP mappings from a trusted LAN host
upnpc -l
upnpc -d <ExternalPort> TCP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
