CVE-2026-36603EPSS p11.3%

CVE-2026-36603CVE-2026-36603

Description

Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 exposes 15 of 18 UPnP IGD actions without authentication on port 1900, including AddPortMapping and GetExternalIPAddress. UPnP is enabled by default through the admin interface, allowing any unauthenticated LAN device to create arbitrary port forwarding rules and access WAN traffic statistics.

Scoring

CVSS 8.1 ()
VectorCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS0.21% probability of exploitation · percentile 11.3% · 2026-06-18T12:00:27Z
Last modified2026-06-05

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-36608
CVE
CVE-2026-36611
CVE
CVE-2026-36602
CVE
CVE-2026-36615
CVE
CVE-2026-36604
CVE
CVE-2026-36613
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.