CVE-2026-36610

Vulnerability

The Mercusys AC12G (EU) V1 router, specifically firmware versions AC12G(EU)_V1_200909 and AC12G(EU)_V1_210128, transmits Dynamic DNS (DDNS) service credentials over unencrypted HTTP. The firmware lacks any TLS implementation, and credentials are only Base64 encoded, making them easily reversible.

Exploitation

An attacker positioned as a man-in-the-middle on the network path between the router and the DDNS provider can intercept the DDNS update requests. These requests contain the DDNS username and password encoded in the Authorization: Basic header, which can be decoded using Base64.

Impact

Successful interception allows an attacker to obtain the DDNS service credentials. If these credentials are reused for other services, this could lead to further compromise. The scope of the compromise is limited to the DDNS service credentials unless they are reused elsewhere.

Mitigation

This vulnerability cannot be fixed by configuration as the firmware contains no TLS implementation. The affected product is end-of-life, and no fix is planned. Users are advised to implement TLS for all outbound HTTP connections carrying authentication credentials and to ensure DDNS providers support HTTPS endpoints, which both DynDNS and No-IP offer [1].