Skip to main content

Mercusys AC12G CVE-2026-36606

| EUVDEUVD-2026-34145 HIGH
Use of Hard-coded Credentials (CWE-798)
2026-06-03 mitre GHSA-qcpv-m3ww-37pw
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 03, 2026 - 20:30 vuln.today
CVSS changed
Jun 03, 2026 - 19:22 NVD
7.1 (HIGH)
CVE Published
Jun 03, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 encrypts configuration backups with a hardcoded DES key using single DES in ECB mode. An attacker who obtains a backup file can decrypt it to recover all stored credentials including admin password, WiFi PSK, and DDNS credentials.

AnalysisAI

Credential disclosure in Mercusys AC12G (EU) V1 routers running firmware AC12G(EU)_V1_200909 allows recovery of plaintext admin, WiFi, and DDNS credentials from configuration backup files. The device encrypts backups with a hardcoded single-DES key in ECB mode, meaning anyone who obtains the backup file can trivially decrypt it. No public exploit identified at time of analysis, though a third-party advisory write-up exists on GitHub describing the cryptographic flaw.

Technical ContextAI

The vulnerability falls under CWE-798 (Use of Hard-coded Credentials), specifically a hardcoded cryptographic key embedded in the router firmware. The affected device uses single DES - a 56-bit block cipher long considered broken and deprecated by NIST since 2005 - operated in ECB (Electronic Codebook) mode, which leaks structural patterns in plaintext. Because the DES key is identical across all units shipping firmware AC12G(EU)_V1_200909, an attacker who extracts the key from one device's firmware (or reuses publicly disclosed key material) can decrypt configuration backups from any other unit running the same image. Configuration backups on consumer SOHO routers typically include the admin web UI password, WPA/WPA2 pre-shared keys for each SSID, WAN/PPPoE credentials, and dynamic DNS provider credentials.

RemediationAI

No vendor-released patch identified at time of analysis - the input data includes only a third-party research advisory and the NVD entry, with no Mercusys (TP-Link subsidiary) firmware update referenced. Owners should check the Mercusys support site for a firmware update newer than AC12G(EU)_V1_200909 and apply it once available; until then, treat configuration backup files as highly sensitive secrets - store them only in encrypted volumes, never email them or upload them to cloud storage, and delete them after use. Rotate all credentials currently stored on the router (admin password, WiFi PSK for each SSID, DDNS provider password, WAN/PPPoE password) under the assumption that any previously made backup may already be compromised, accepting the trade-off of needing to reconfigure all client devices with the new PSK. If feasible, replace the device with one that uses authenticated encryption (AES-GCM) for backups, since the underlying single-DES/ECB design cannot be remediated by configuration alone. Monitor the GitHub advisory (https://github.com/Tymbark7372/MERCUSYS-AC12G/blob/master/advisories/CVE-2026-36606.md) for vendor response updates.

Share

CVE-2026-36606 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy