top of page
perceptive_background_267k.jpg

Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 returns 128 bytes of uninitialized buffer when receiving POST requests without SOAPAction header on UPn…

Published:

2 June 2026 at 22:00:00

Alert date:

3 June 2026 at 21:02:42

Source:

nvd.nist.gov

Click to open the original link from this advisory

Mobile & IoT, Network Infrastructure

Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 contains a vulnerability that exposes 128 bytes of uninitialized buffer memory when processing POST requests without SOAPAction header on UPnP port 1900. This memory disclosure vulnerability can be exploited by unauthenticated attackers on adjacent networks, potentially revealing sensitive internal memory contents. The vulnerability affects the UPnP service implementation and requires no authentication to exploit.

Technical details

Mitigation steps:

Affected products:

Mercusys AC12G

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-36611
https://github.com/Tymbark7372/MERCUSYS-AC12G/blob/master/advisories/CVE-2026-36611.md

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page