Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 allows unauthenticated brute-force attacks via the TDDP password change endpoint (code=10), which lacks the rate limiting applied to the login endpoint (code=7). An attacker on the adjacent network can attempt unlimited passwords without triggering account lockout.
AnalysisAI
Authentication brute-force weakness in Mercusys AC12G (EU) V1 routers running firmware AC12G(EU)_V1_200909 allows an attacker on the adjacent network to enumerate the admin password without triggering any lockout. The flaw stems from the TDDP password-change endpoint (code=10) lacking the rate limiting that is enforced on the login endpoint (code=7), giving attackers unlimited guessing attempts. No public exploit identified at time of analysis, but a third-party advisory has been published on GitHub.
Technical ContextAI
TDDP (TP-Link Device Debug Protocol) is a UDP-based management protocol historically used in TP-Link and Mercusys consumer routers, typically on port 1040. The vulnerability sits in TDDP command code 10 (password change), where the firmware author applied rate limiting and lockout only to command code 7 (login) but left the password change handler unprotected. This is a textbook CWE-307 (Improper Restriction of Excessive Authentication Attempts) issue: an authentication-adjacent operation accepts an unlimited stream of credential guesses. The NVD CPE string is a placeholder ('n/a:n/a'), so CPE matching is unreliable here - the affected platform is identified only by the vendor advisory and the description.
RemediationAI
No vendor-released patch identified at time of analysis; Mercusys has not published an advisory or fixed firmware build linked from the available references. Until a firmware update is issued, compensating controls include disabling remote/WAN management, isolating the router's management interface on a dedicated VLAN or management SSID to reduce adjacent-network exposure (side effect: legitimate admins must connect from that segment), blocking inbound UDP traffic to the TDDP port (commonly UDP/1040) on any upstream filtering device (side effect: breaks any legitimate tools that rely on TDDP), and setting a long, high-entropy admin password to make brute-force computationally infeasible (side effect: usability burden but no functional regression). Monitor the researcher advisory at https://github.com/Tymbark7372/MERCUSYS-AC12G/blob/master/advisories/CVE-2026-36607.md and the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-36607 for a vendor fix.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34146
GHSA-66mf-3gg5-cm75