Mercusys AC12G Router: 15 Vulnerabilities Disclosed on June 3, 2026
Fifteen vulnerabilities were disclosed for the Mercusys AC12G (EU) V1 router, impacting firmware version AC12G(EU)_V1_200909, with issues ranging from hardcoded credentials to unauthenticated information disclosure.
Key findings
- Fifteen vulnerabilities disclosed for Mercusys AC12G (EU) V1 router firmware AC12G(EU)_V1_200909.
- Hardcoded credentials, including WiFi PSK and RADIUS secret, found in firmware.
- Multiple information disclosure flaws reveal internal buffers, software versions, and kernel memory.
- Weak authentication and unauthenticated access to critical functions like UPnP and password changes.
- Denial-of-service vulnerability causes persistent router crashes requiring physical reset.
- Configuration backups encrypted with a hardcoded DES key, exposing all stored credentials.
Mercusys AC12G Router Plagued by 15 Vulnerabilities
On June 3, 2026, a significant batch of fifteen vulnerabilities was disclosed for the Mercusys AC12G (EU) V1 router, specifically affecting firmware version AC12G(EU)_V1_200909. These vulnerabilities, disclosed simultaneously, expose a wide range of security weaknesses, including hardcoded credentials, unauthenticated information disclosure, weak authentication mechanisms, and denial-of-service possibilities. The sheer volume and variety of these flaws indicate a critical need for users to update their router firmware.
Information Disclosure and Credential Exposure
Several vulnerabilities center on the unauthorized disclosure of sensitive information. CVE-2026-36618 allows attackers to query the DNS resolver software version (unbound 1.22.0), aiding targeted attacks. CVE-2026-36615 and CVE-2026-36613 reveal internal buffer contents through undocumented endpoints and undefined HTTP POST paths, respectively. Similarly, CVE-2026-36611 details how configuration backups are encrypted with a hardcoded DES key, allowing recovery of all stored credentials, including admin passwords and WiFi PSKs. Furthermore, CVE-2026-36610 transmits DDNS credentials over plaintext HTTP, vulnerable to Man-in-the-Middle interception due to the lack of TLS implementation. CVE-2026-36606 also discloses kernel memory layout via the UPnP GetStatusInfo action, providing attackers with kernel pointers.
Authentication and Access Control Weaknesses
Weaknesses in authentication and access control are prevalent across this batch. CVE-2026-36616 highlights hardcoded WiFi driver credentials, including a RADIUS shared secret and default PSK, embedded directly in the firmware. CVE-2026-36609 points to a static authentication nonce and predictable XOR-based password encoding, allowing attackers to reverse captured authentication tokens. CVE-2026-36607 permits unauthenticated brute-force attacks against the password change endpoint due to a lack of rate limiting. CVE-2026-36612 notes that WPS 2.0 is enabled by default with a weak lockout policy, making it susceptible to brute-force attacks. Additionally, CVE-2026-36608 allows unauthenticated LAN attackers to expose the admin panel to the internet by forwarding external ports to the router's own admin interface via UPnP.
Network Service Vulnerabilities
Network services on the router are also implicated. CVE-2026-36613 and CVE-2026-36611 describe vulnerabilities related to HTTP POST requests and UPnP port 1900, respectively, which can expose internal memory. CVE-2026-36604 enables DNS rebinding attacks due to the router not validating the HTTP Host header, potentially extending a CORS wildcard vulnerability to internet-originated attacks. CVE-2026-36603 reveals that 15 of 18 UPnP IGD actions are exposed without authentication on port 1900, allowing arbitrary port forwarding rules to be created by any unauthenticated LAN device.
Denial of Service and Other Issues
CVE-2026-36605 describes a critical HTTP denial-of-service vulnerability caused by a low number of crafted incomplete HTTP requests, leading to a persistent crash that requires a physical power cycle to resolve. This could render the router inoperable until manually reset.
Response and Mitigation
Details regarding specific patches or firmware updates that address this comprehensive set of vulnerabilities were not immediately available at the time of disclosure. Users of the Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 are strongly advised to monitor Mercusys's official support channels for firmware updates. Until patches are released, users should consider disabling UPnP if not strictly necessary and reviewing their network security configurations. The simultaneous disclosure of these 15 CVEs underscores the importance of timely security patching for network devices.
This extensive disclosure highlights significant security oversights in the Mercusys AC12G (EU) V1 router's firmware. Users should prioritize applying any available updates from Mercusys to mitigate these risks and protect their networks from potential exploitation.