Mercusys AC12G (EU) V1 Unauthenticated UPnP IGD Actions Vulnerability

A vulnerability exists in the Mercusys AC12G (EU) V1 router, specifically in the firmware version AC12G(EU)_V1_200909. The router's UPnP IGD implementation on port 1900 exposes 15 out of 18 actions without authentication. This includes critical functions such as AddPortMapping, which allows arbitrary NAT port forwarding, and GetExternalIPAddress, which reveals the WAN IP address. UPnP is enabled by default and cannot be disabled through the admin interface, leaving any unauthenticated LAN device free to manipulate port forwarding rules and access WAN traffic statistics.

Impact

Exploitation of this vulnerability allows any LAN device to create port forwarding rules, exposing internal services to the internet. Additionally, the WAN connection can be terminated, and sensitive information such as the WAN IP address, traffic statistics, and connection details can be accessed by any LAN client. The lack of authentication on UPnP actions could also enable compromised IoT devices to alter firewall settings without detection.

Remediation

Users are advised to implement UPnP authentication or access controls, provide an option to disable UPnP entirely, restrict the AddPortMapping action to the requesting client's IP address, and rate-limit UPnP operations.