CVE-2026-36609
Description
Mercusys AC12G router uses a static nonce and predictable encoding, allowing attackers to recover plaintext passwords from captured tokens.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Mercusys AC12G router uses a static nonce and predictable encoding, allowing attackers to recover plaintext passwords from captured tokens.
Vulnerability
The Mercusys AC12G (EU) V1 router, specifically firmware versions AC12G(EU)_V1_200909 and AC12G(EU)_V1_210128, suffers from a vulnerability in its HTTP authentication mechanism. The router uses a static authentication nonce that is generated once per boot per source IP address. This nonce, combined with a predictable XOR-based password encoding function (securityEncode), allows for the recovery of the plaintext password [1].
Exploitation
An attacker can capture an authentication exchange between the router and a legitimate user. The router's TDDP authentication protocol returns a challenge containing a nonce and a group key. The session token is generated using the securityEncode function with static inputs and the static nonce. Since the securityEncode function is reversible and all inputs except the password are known, an attacker can reverse the captured session token to recover the plaintext password. Captured session tokens can also be replayed indefinitely as they do not expire or rotate within a boot cycle [1].
Impact
Successful exploitation allows an attacker to recover the plaintext administrator password from a single captured authentication exchange. This enables the attacker to gain administrative access to the router with the privileges of the recovered password. Furthermore, captured session tokens can be replayed indefinitely, allowing for persistent unauthorized access without needing to re-exploit the nonce vulnerability [1].
Mitigation
According to the available information, the Mercusys AC12G (EU) V1 router is end-of-life, and no fix is planned for this vulnerability. There are no disclosed workarounds to address the static nonce and predictable encoding. Users are advised to replace the affected device if possible [1].
AI Insight generated on Jun 3, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The router uses a static authentication nonce and predictable XOR-based password encoding."
Attack vector
An attacker can capture an authentication exchange between the router and a client. The router generates a nonce that does not change between requests from the same source IP during a boot cycle [ref_id=1]. The session token is computed using a predictable XOR-based encoding function with this static nonce and a known salt [ref_id=1]. By reversing this encoding, an attacker can recover the plaintext password from a captured token [ref_id=1].
Affected code
The vulnerability lies within the HTTP authentication mechanism and nonce generation of the Mercusys AC12G (EU) V1 router. Specifically, the `securityEncode` function, which uses XOR-based encoding with a static nonce, is implicated [ref_id=1]. The `orgAuthPwd` function and `securityEncode` are documented in `/lib/Quary.js` [ref_id=1].
What the fix does
The advisory states that the affected product is end-of-life and no fix is planned. Remediation guidance suggests replacing the affected device.
Preconditions
- networkThe attacker must be able to intercept network traffic to capture an authentication exchange.
- inputThe attacker needs to capture a valid session token.
Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
1- Mercusys AC12G Router: 15 Vulnerabilities Disclosed on June 3, 2026Vypr Intelligence · Jun 3, 2026