CVE-2026-36613

Vulnerability

The VxWorks HTTP server in Mercusys AC12G (EU) V1, specifically firmware versions AC12G(EU)_V1_200909 and AC12G(EU)_V1_210128, fails to return proper HTTP error responses for unrecognized request paths or invalid codes. Instead, it returns 128 bytes of raw internal memory, including the header parsing buffer, when receiving HTTP POST requests to undefined paths [1].

Exploitation

An unauthenticated attacker on the adjacent network can trigger this vulnerability by sending an HTTP POST request to an unrecognized path, such as /admin, /config, /firmware, or a path with an invalid code like POST /?code=N where N is outside the valid handler range. The response will contain raw buffer data before any HTTP status line, and if a POST body is included, an additional 67 bytes beyond the POST body buffer boundary will be read from adjacent heap memory [1].

Impact

Successful exploitation exposes 128 bytes of uninitialized internal server state, including key-value pairs from processed HTTP headers. Additionally, an out-of-bounds read of 67 bytes beyond the POST body buffer can leak fragments of HTTP response templates from previous operations stored in adjacent heap memory. This disclosure affects unauthenticated adjacent network attackers and exposes sensitive server state [1].

Mitigation

This vulnerability affects Mercusys AC12G (EU) V1 devices with firmware AC12G(EU)_V1_200909 and AC12G(EU)_V1_210128. The product is end-of-life, and no fix is planned. There are no workarounds mentioned in the available references [1].