CVE-2026-36612

Vulnerability

Mercusys AC12G (EU) V1 routers with firmware versions AC12G(EU)_V1_200909 and AC12G(EU)_V1_210128 enable WPS 2.0 by default. The implementation suffers from a weak lockout policy, allowing only 10 failed PIN attempts before a 60-second lockout, and the AP PIN can be deterministically derived from the BSSID MAC address [1].

Exploitation

An attacker needs network access and must wait for the user to activate WPS PIN mode via the web UI or a physical button. Once WPS PIN mode is active, the attacker can predict the AP PIN using the BSSID MAC address and attempt to recover the Wi-Fi credentials within a single WPS PIN exchange attempt, bypassing the weak lockout policy [1].

Impact

Successful exploitation allows an attacker to recover Wi-Fi credentials, granting them full access to the local area network and all connected devices. This could lead to further compromise of networked systems [1].

Mitigation

The affected products are end-of-life, and no fix is planned. Users are advised to disable WPS by default on their routers if possible. Increasing the lockout duration and the number of failed attempts are recommended security practices, but are not available as a firmware update for these devices [1].