Mercusys AC12G (EU) V1 UPnP Self-Mapping Vulnerability Exposes Admin Panel to Internet

A vulnerability in the Mercusys AC12G (EU) V1 router, running firmware AC12G(EU)_V1_200909, allows for unauthorized port forwarding to the router's admin interface. This is achieved through the UPnP 'AddPortMapping' function, which accepts the router's own IP address or localhost as the 'InternalClient' parameter. An unauthenticated attacker on the local network can exploit this flaw to make the admin panel accessible from the internet.

Impact

Exposing the admin panel to the internet via a single unauthenticated request, with the potential for remote router takeover by combining this vulnerability with CVE-2026-36607, which allows for password brute-forcing from anywhere on the internet.

Reproduction

The vulnerability can be reproduced by sending a SOAP request to the UPnP 'AddPortMapping' action, using the router's LAN IP (192.168.1.1) or localhost (127.0.0.1) as the 'InternalClient'. This request will create a port forwarding rule that directs traffic from a specified WAN port to the router's admin interface on port 80. After the mapping is established, the WAN IP can be retrieved using the 'GetExternalIPAddress' action, confirming that the admin panel is accessible from the internet at the forwarded port.

Remediation

No official fix is planned for this end-of-life product. However, it is recommended to reject 'AddPortMapping' requests that specify the router's own IP addresses as the 'InternalClient', restrict port forwarding on well-known service ports, and implement UPnP authentication according to the UPnP Device Security specification.