Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 transmits DDNS credentials over plaintext HTTP with only Base64 encoding. The firmware contains no TLS implementation, allowing man-in-the-middle interception of DDNS service credentials.
AnalysisAI
Cleartext credential exposure in the Mercusys AC12G (EU) V1 router (firmware AC12G(EU)_V1_200909) allows a network-positioned attacker to intercept DDNS service credentials in transit. The firmware transmits DDNS credentials over plaintext HTTP with only Base64 encoding - an encoding scheme, not encryption - and contains no TLS implementation whatsoever. A successful man-in-the-middle interception results in full credential disclosure (C:H), enabling an attacker to hijack the associated DDNS hostname and redirect domain traffic. No public exploit identified at time of analysis, and this CVE is not listed in CISA KEV.
Technical ContextAI
CWE-319 (Cleartext Transmission of Sensitive Information) describes the root cause: the firmware sends sensitive data over an unencrypted channel. Base64 encoding is a reversible data-encoding scheme - not a cryptographic primitive - and provides zero confidentiality protection; any intercepted payload can be decoded instantly with standard tooling. The absence of any TLS implementation in the firmware is a design-level omission, not a misconfiguration, meaning there is no software toggle or setting that can enable encryption without a firmware replacement. The affected device is Mercusys AC12G (EU) V1 running firmware AC12G(EU)_V1_200909. NVD CPE data is recorded as n/a, which limits automated asset-inventory tooling; affected product identity is confirmed by the researcher advisory rather than NVD CPE strings.
RemediationAI
No vendor-released patch has been identified at time of analysis. The primary remediation action is to disable DDNS functionality on the Mercusys AC12G if it is not operationally required, eliminating the credential transmission entirely - this is the most effective compensating control and carries no functional trade-off for deployments not relying on dynamic DNS. If DDNS is required, traffic from the router to the DDNS service endpoint should be tunneled through an encrypted VPN at the network layer, though this requires additional infrastructure and may not be feasible in all SOHO environments. Restricting LAN-side access to devices that could perform ARP poisoning reduces MITM risk on the local segment but does not protect against ISP-level interception. Firmware upgrades from Mercusys should be monitored via the vendor's support portal; the researcher advisory is available at https://github.com/Tymbark7372/MERCUSYS-AC12G/blob/master/advisories/CVE-2026-36610.md and the NVD record is at https://nvd.nist.gov/vuln/detail/CVE-2026-36610.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34149
GHSA-f7vm-g3rr-mf92