CVE-2026-36607
Description
Mercusys AC12G (EU) V1 routers have an unauthenticated brute-force vulnerability in the TDDP password change endpoint, allowing full administrative access.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Mercusys AC12G (EU) V1 routers have an unauthenticated brute-force vulnerability in the TDDP password change endpoint, allowing full administrative access.
Vulnerability
Mercusys AC12G (EU) V1 routers, specifically firmware versions AC12G(EU)_V1_200909 and AC12G(EU)_V1_210128, contain a vulnerability in the TDDP HTTP interface. The password change endpoint (code=10) lacks the rate limiting present in the login endpoint (code=7), allowing for unlimited brute-force attempts against the administrative password [1].
Exploitation
An attacker on the adjacent network can exploit this vulnerability by repeatedly sending password change requests to the TDDP endpoint. The router does not implement any lockout mechanism for this endpoint, enabling an attacker to attempt an unlimited number of passwords at network speed, estimated at 700-1500 passwords per second, without triggering any security measures [1].
Impact
Successful exploitation grants an attacker full administrative access to the router. This allows for complete control over the device, including the ability to modify its configuration, monitor traffic, and potentially use it as a pivot point for further network compromise [1].
Mitigation
This vulnerability affects Mercusys AC12G (EU) V1 routers, and the affected firmware versions are considered end-of-life with no fix planned. There are no disclosed workarounds or patches available for this issue [1].
AI Insight generated on Jun 3, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The password change endpoint lacks rate limiting, allowing for unlimited brute-force attempts."
Attack vector
An unauthenticated attacker on the adjacent network can exploit this vulnerability by targeting the TDDP password change endpoint (code=10) [ref_id=1]. This endpoint, unlike the login endpoint (code=7), does not implement any rate limiting or account lockout mechanisms [ref_id=1]. The attacker can therefore attempt an unlimited number of passwords, estimated at 700-1500 per second, without triggering any security measures [ref_id=1]. This can lead to full administrative access to the router upon a successful brute-force attack.
Affected code
The vulnerability resides within the TDDP (TP-Link Device Debug Protocol) HTTP interface, specifically the password change endpoint identified by operation code 10 [ref_id=1]. This endpoint performs authentication checks but lacks the lockout mechanism present in the login endpoint (code=7) [ref_id=1]. The password encoding algorithm, orgAuthPwd, is documented in the router's JavaScript source code, served without authentication [ref_id=1].
What the fix does
The advisory states that the product is end-of-life and no fix is planned [ref_id=1]. Therefore, no patch is available to address this vulnerability. Users are advised to replace the affected device.
Preconditions
- networkAttacker must be on the adjacent network.
- authNo authentication is required to access the vulnerable endpoint.
Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
1- Mercusys AC12G Router: 15 Vulnerabilities Disclosed on June 3, 2026Vypr Intelligence · Jun 3, 2026