CVE-2026-36608

Published: Giu 03, 2026 Last Modified: Giu 03, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 8,8

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Attack Vector: adjacent_network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Scope: unchanged

Confidentiality: high

Integrity: high

Availability: high

Description

AI Translation Available

Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 allows UPnP AddPortMapping to forward external ports to the router's own admin interface by accepting its own IP (192.168.1.1) or localhost (127.0.0.1) as InternalClient. An unauthenticated LAN attacker can expose the admin panel to the internet with a single SOAP request.

441

Unintended Proxy or Intermediary ('Confused Deputy')

Draft

Abstraction: Class Structure: Simple

Common Consequences

Security Scopes Affected:

Non-Repudiation Access Control

Potential Impacts:

Gain Privileges Or Assume Identity Hide Activities Execute Unauthorized Code Or Commands

Applicable Platforms

All platforms may be affected

View CWE Details

https://github.com/Tymbark7372/MERCUSYS-AC12G/blob/master/a…

https://github.com/Tymbark7372/MERCUSYS-AC12G/blob/master/advisories/CVE-2026-3…

CVE-2026-36608

Description

Unintended Proxy or Intermediary ('Confused Deputy')

Common Consequences

Applicable Platforms

Iscriviti alla newsletter