CVE-2026-36616

Vulnerability

The Mercusys AC12G (EU) V1 router, specifically firmware versions AC12G(EU)_V1_200909 and AC12G(EU)_V1_210128, contains hardcoded WiFi driver credentials within the production firmware binary. These credentials, including a RADIUS shared secret, WPS test key, and default PSK, are embedded in the MediaTek/Ralink WiFi driver configuration template and could become active under certain conditions [1].

Exploitation

An attacker with adjacent network access could exploit this vulnerability by leveraging the default PSK 12345678 if AP Client mode is enabled or by impersonating the RADIUS server if WPA-Enterprise is configured, using the hardcoded shared secret ralink. The presence of development IP addresses and plaintext logging of WiFi keys in the firmware also aids attackers in understanding and potentially compromising the network infrastructure [1].

Impact

Successful exploitation allows an attacker to impersonate the RADIUS server, potentially leading to network access or man-in-the-middle attacks. The use of a trivially guessable default PSK (12345678) can grant unauthorized access to the network. Additionally, the disclosure of internal development IP addresses and the potential for plaintext logging of WiFi keys can lead to further information disclosure and compromise of network security [1].

Mitigation

This vulnerability affects Mercusys AC12G (EU) V1 routers with firmware AC12G(EU)_V1_200909 and AC12G(EU)_V1_210128. The product is listed as end-of-life, and no fix is planned. Users are advised to consider replacing the affected device or to implement network segmentation and strong access controls if possible [1].