CVE-2026-36605

Vulnerability

The Mercusys AC12G (EU) V1 router, specifically firmware versions AC12G(EU)_V1_200909 and AC12G(EU)_V1_210128, is susceptible to a denial of service vulnerability within its HTTP server. The server has a small, fixed connection pool that lacks timeouts for incomplete HTTP requests. This allows for exhaustion of available connection slots by approximately 50 concurrent TCP connections with slow or incomplete headers [1].

Exploitation

An attacker on the local network can exploit this vulnerability by establishing around 50 concurrent TCP connections to the router's HTTP port. These connections should send slow or incomplete HTTP headers. This action exhausts the router's connection pool, leading to a denial of service condition [1]. No authentication or user interaction is required.

Impact

Successful exploitation results in a persistent denial of service, rendering the router's HTTP administration interface and UPnP service permanently unresponsive. While the data plane (internet routing, DNS) remains operational, the control plane is inaccessible until a physical power cycle of the device. This locks administrators out of managing the router remotely [1].

Mitigation

This vulnerability affects Mercusys AC12G (EU) V1 routers, and the affected firmware versions are considered end-of-life with no fix planned. There are no disclosed workarounds to mitigate this issue. Recovery requires a physical power cycle of the affected device [1].