Skip to main content

Mercusys AC12G CVE-2026-36607

| EUVDEUVD-2026-34146 HIGH
Improper Restriction of Excessive Authentication Attempts (CWE-307)
2026-06-03 mitre GHSA-66mf-3gg5-cm75
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 03, 2026 - 20:30 vuln.today
CVSS changed
Jun 03, 2026 - 19:22 NVD
8.8 (HIGH)
CVE Published
Jun 03, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 allows unauthenticated brute-force attacks via the TDDP password change endpoint (code=10), which lacks the rate limiting applied to the login endpoint (code=7). An attacker on the adjacent network can attempt unlimited passwords without triggering account lockout.

AnalysisAI

Authentication brute-force weakness in Mercusys AC12G (EU) V1 routers running firmware AC12G(EU)_V1_200909 allows an attacker on the adjacent network to enumerate the admin password without triggering any lockout. The flaw stems from the TDDP password-change endpoint (code=10) lacking the rate limiting that is enforced on the login endpoint (code=7), giving attackers unlimited guessing attempts. No public exploit identified at time of analysis, but a third-party advisory has been published on GitHub.

Technical ContextAI

TDDP (TP-Link Device Debug Protocol) is a UDP-based management protocol historically used in TP-Link and Mercusys consumer routers, typically on port 1040. The vulnerability sits in TDDP command code 10 (password change), where the firmware author applied rate limiting and lockout only to command code 7 (login) but left the password change handler unprotected. This is a textbook CWE-307 (Improper Restriction of Excessive Authentication Attempts) issue: an authentication-adjacent operation accepts an unlimited stream of credential guesses. The NVD CPE string is a placeholder ('n/a:n/a'), so CPE matching is unreliable here - the affected platform is identified only by the vendor advisory and the description.

RemediationAI

No vendor-released patch identified at time of analysis; Mercusys has not published an advisory or fixed firmware build linked from the available references. Until a firmware update is issued, compensating controls include disabling remote/WAN management, isolating the router's management interface on a dedicated VLAN or management SSID to reduce adjacent-network exposure (side effect: legitimate admins must connect from that segment), blocking inbound UDP traffic to the TDDP port (commonly UDP/1040) on any upstream filtering device (side effect: breaks any legitimate tools that rely on TDDP), and setting a long, high-entropy admin password to make brute-force computationally infeasible (side effect: usability burden but no functional regression). Monitor the researcher advisory at https://github.com/Tymbark7372/MERCUSYS-AC12G/blob/master/advisories/CVE-2026-36607.md and the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-36607 for a vendor fix.

Share

CVE-2026-36607 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy