VYPR

Vendor CVEs

Mercusys

All CVEs

24 total · sorted by risk
  • CVE-2026-36608HigJun 3, 2026
    risk 0.57cvss 8.8epss 0.00

    Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 allows UPnP AddPortMapping to forward external ports to the router's own admin interface by accepting its own IP (192.168.1.1) or localhost (127.0.0.1) as InternalClient. An unauthenticated LAN attacker can expose…

  • CVE-2026-36607HigJun 3, 2026
    risk 0.57cvss 8.8epss 0.00

    Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 allows unauthenticated brute-force attacks via the TDDP password change endpoint (code=10), which lacks the rate limiting applied to the login endpoint (code=7). An attacker on the adjacent network can attempt…

  • CVE-2026-36603HigJun 3, 2026
    risk 0.53cvss 8.1epss 0.00

    Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 exposes 15 of 18 UPnP IGD actions without authentication on port 1900, including AddPortMapping and GetExternalIPAddress. UPnP is enabled by default through the admin interface, allowing any unauthenticated LAN…

  • CVE-2021-25811HigApr 29, 2021
    risk 0.49cvss 7.5epss 0.02

    MERCUSYS Mercury X18G 1.0.5 devices allow Denial of service via a crafted value to the POST listen_http_lan parameter. Upon subsequent device restarts after this vulnerability is exploted the device will not be able to access the webserver unless the listen_http_lan parameter to…

  • CVE-2026-36611HigJun 3, 2026
    risk 0.47cvss 7.3epss 0.00

    Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 returns 128 bytes of uninitialized buffer when receiving POST requests without SOAPAction header on UPnP port 1900, exposing internal memory to unauthenticated adjacent network attackers.

  • CVE-2026-36609HigJun 3, 2026
    risk 0.47cvss 7.3epss 0.00

    Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 uses a static authentication nonce that does not change between requests from the same source IP. Combined with the predictable XOR-based password encoding (securityEncode function), this allows an attacker to…

  • CVE-2026-36606HigJun 3, 2026
    risk 0.46cvss 7.1epss 0.00

    Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 encrypts configuration backups with a hardcoded DES key using single DES in ECB mode. An attacker who obtains a backup file can decrypt it to recover all stored credentials including admin password, WiFi PSK, and…

  • CVE-2023-52162MedJun 3, 2024
    risk 0.44cvss 6.7epss 0.01

    Mercusys MW325R EU V3 (Firmware MW325R(EU)_V3_1.11.0 Build 221019) is vulnerable to a stack-based buffer overflow, which could allow an attacker to execute arbitrary code. Exploiting the vulnerability requires authentication.

  • CVE-2026-36612MedJun 3, 2026
    risk 0.42cvss 6.4epss 0.00

    Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 enables WPS 2.0 by default with a weak lockout policy (60-second lockout after 10 attempts).

  • CVE-2026-36605MedJun 3, 2026
    risk 0.42cvss 6.5epss 0.00

    Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 is vulnerable to a HTTP denial of service via a low number of crafted incomplete HTTP requests, causing a persistent crash that requires physical power cycling to recover.

  • CVE-2026-36604MedJun 3, 2026
    risk 0.42cvss 6.5epss 0.00

    Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 does not validate the HTTP Host header, enabling DNS rebinding attacks. An external attacker can rebind a domain to the router's internal IP address, extending the CORS wildcard vulnerability…

  • CVE-2021-25810MedApr 29, 2021
    risk 0.40cvss 6.1epss 0.01

    Cross site Scripting (XSS) vulnerability in MERCUSYS Mercury X18G 1.0.5 devices, via crafted values to the 'src_dport_start', 'src_dport_end', and 'dest_port' parameters.

  • CVE-2026-36616MedJun 3, 2026
    risk 0.38cvss 5.9epss 0.00

    Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 contains hardcoded WiFi driver credentials including a RADIUS shared secret, WPS test key, and default PSK embedded in the production firmware binary.

  • CVE-2026-36610MedJun 3, 2026
    risk 0.38cvss 5.9epss 0.00

    Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 transmits DDNS credentials over plaintext HTTP with only Base64 encoding. The firmware contains no TLS implementation, allowing man-in-the-middle interception of DDNS service credentials.

  • CVE-2021-23241MedJan 7, 2021
    risk 0.36cvss 5.3epss 0.13

    MERCUSYS Mercury X18G 1.0.5 devices allow Directory Traversal via ../ in conjunction with a loginLess or login.htm URI (for authentication bypass) to the web server, as demonstrated by the /loginLess/../../etc/passwd URI.

  • CVE-2021-23242MedJan 7, 2021
    risk 0.35cvss 5.3epss 0.02

    MERCUSYS Mercury X18G 1.0.5 devices allow Directory Traversal via ../ to the UPnP server, as demonstrated by the /../../conf/template/uhttpd.json URI.

  • CVE-2023-46297MedMay 29, 2024
    risk 0.33cvss 5.1epss 0.00

    An issue was discovered on Mercusys MW325R EU V3 MW325R(EU)_V3_1.11.0 221019 devices. A WAN attacker can make the admin interface unreachable/invisible via an unauthenticated HTTP request. Verification of the data sent by the user does not occur. The web server does not crash,…

  • CVE-2026-36618MedJun 3, 2026
    risk 0.28cvss 4.3epss 0.00

    Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 responds to version.bind CHAOS TXT queries, disclosing the DNS resolver software version (unbound 1.22.0), aiding targeted attacks against known vulnerabilities.

  • CVE-2026-36615MedJun 3, 2026
    risk 0.28cvss 4.3epss 0.00

    Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 exposes an undocumented /agileconfigreset endpoint that returns internal buffer contents to unauthenticated attackers on the adjacent network.

  • CVE-2026-36613MedJun 3, 2026
    risk 0.28cvss 4.3epss 0.00

    Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 returns 128 bytes of uninitialized internal buffer contents when receiving HTTP POST requests to undefined paths, exposing server state to unauthenticated adjacent network attackers.

  • CVE-2026-36602MedJun 3, 2026
    risk 0.28cvss 4.3epss 0.00

    Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 discloses kernel memory layout via the UPnP GetStatusInfo action. An unauthenticated attacker on the adjacent network can obtain a raw MIPS KSEG0 kernel pointer, revealing kernel memory layout and aiding further…

  • CVE-2025-7882LowJul 20, 2025
    risk 0.20cvss 3.1epss 0.00

    A vulnerability was found in Mercusys MW301R 1.0.2 Build 190726 Rel.59423n. It has been rated as problematic. This issue affects some unknown processing of the component Login. The manipulation leads to improper restriction of excessive authentication attempts. The attack can…

  • CVE-2025-7881LowJul 20, 2025
    risk 0.18cvss 2.7epss 0.00

    A vulnerability was found in Mercusys MW301R 1.0.2 Build 190726 Rel.59423n. It has been declared as problematic. This vulnerability affects unknown code of the component Web Interface. The manipulation of the argument code leads to weak password recovery. The attack can be…

  • CVE-2025-56463Sep 26, 2025
    risk 0.00cvss epss 0.00

    Mercusys MW305R 3.30 and below is has a Transport Layer Security (TLS) certificate private key disclosure.