Cyber Resilience

CVE-2026-36608

HighUpdated

Published: 03 June 2026

Published
03 June 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0018 7.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-36608 is a high-severity Confused Deputy (CWE-441) vulnerability. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique External Remote Services (T1133); ranked at the 7.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 allows UPnP AddPortMapping to forward external ports to the router's own admin interface by accepting its own IP (192.168.1.1) or localhost (127.0.0.1) as InternalClient. An unauthenticated LAN attacker can expose the admin…

more

panel to the internet with a single SOAP request.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1133 External Remote Services Persistence
Adversaries may leverage external-facing remote services to initially access and/or persist within a network.
Why these techniques?

Vulnerability directly enables unauthorized external exposure of router admin interface via UPnP port mapping abuse (CWE-441).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-48646Shared CWE-441
CVE-2025-48570Shared CWE-441
CVE-2023-31313Shared CWE-441
CVE-2026-0021Shared CWE-441
CVE-2026-0098Shared CWE-441
CVE-2026-0107Shared CWE-441
CVE-2026-0008Shared CWE-441
CVE-2026-0013Shared CWE-441
CVE-2025-48579Shared CWE-441
CVE-2026-39906Shared CWE-441

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-441

Mitigates confused deputy risks by ensuring distinct privilege domains so one partition cannot unintentionally act on behalf of another.

References