Skip to main content

Mercusys AC12G CVE-2026-36609

| EUVDEUVD-2026-34148 HIGH
Use of a Broken or Risky Cryptographic Algorithm (CWE-327)
2026-06-03 mitre GHSA-wmgq-9q82-422r
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Jun 03, 2026 - 20:23 vuln.today
CVSS changed
Jun 03, 2026 - 20:22 NVD
7.3 (HIGH)
CVE Published
Jun 03, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 uses a static authentication nonce that does not change between requests from the same source IP. Combined with the predictable XOR-based password encoding (securityEncode function), this allows an attacker to reverse captured authentication tokens to recover the plaintext password.

AnalysisAI

Authentication token recovery in Mercusys AC12G (EU) V1 routers running firmware AC12G(EU)_V1_200909 allows network-based attackers to decrypt captured login credentials and recover plaintext administrator passwords. The flaw stems from a static authentication nonce that never rotates for requests originating from the same source IP, combined with a weak XOR-based password encoding routine (securityEncode). A public advisory exists on GitHub, but no public exploit code or active exploitation has been identified at the time of analysis.

Technical ContextAI

The Mercusys AC12G is a consumer/SOHO dual-band Wi-Fi router whose web management interface relies on a client-side encoding function named securityEncode to obfuscate credentials before transmission. This routine performs a reversible XOR operation against a nonce supplied by the server; because that nonce is static per source IP and never re-randomized, the cipher reduces to a trivial substitution that an observer with the nonce and the encoded token can invert. The underlying weakness is classified as CWE-327 (Use of a Broken or Risky Cryptographic Algorithm) - both the choice of XOR as the protective primitive and the failure to use a fresh, unpredictable challenge defeat the intended authentication-token protection. The CPE entry in NVD is the placeholder cpe:2.3:a:n/a:n/a:*, meaning no formal CPE has yet been assigned to the device, so automated asset matching against this CVE will not work.

RemediationAI

No vendor-released patch is identified at time of analysis - neither Mercusys nor TP-Link (its parent) has published a firmware advisory referenced in the available data, so administrators should monitor https://www.mercusys.com for an updated firmware build superseding AC12G(EU)_V1_200909 and apply it as soon as it is released. As compensating controls, restrict access to the router's web management interface to a trusted wired LAN segment by disabling remote/WAN management and any Wi-Fi-based admin access (trade-off: administrators must be on-LAN to configure the device); place the router behind a separate trusted network or VLAN so adjacent guests cannot observe authentication traffic; set a long, high-entropy admin password that is unique to this device so that recovered credentials cannot be reused elsewhere (trade-off: does not prevent recovery, only limits credential reuse blast radius); and, where feasible, replace the device with one that uses TLS for management and a properly randomized per-session challenge. The researcher advisory at https://github.com/Tymbark7372/MERCUSYS-AC12G/blob/master/advisories/CVE-2026-36609.md should be consulted for technical detail on the securityEncode routine.

Share

CVE-2026-36609 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy