Skip to main content

Mercusys AC12G CVE-2026-36612

| EUVDEUVD-2026-34151 MEDIUM
Improper Restriction of Excessive Authentication Attempts (CWE-307)
2026-06-03 mitre GHSA-m39f-rg22-q2x7
6.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.4 MEDIUM
AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 04, 2026 - 14:24 vuln.today
CVSS changed
Jun 04, 2026 - 14:22 NVD
6.4 (MEDIUM)
CVE Published
Jun 03, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 enables WPS 2.0 by default with a weak lockout policy (60-second lockout after 10 attempts).

AnalysisAI

WPS 2.0 brute-force exposure on the Mercusys AC12G (EU) V1 router allows an adjacent unauthenticated attacker to recover Wi-Fi credentials by exhausting the WPS PIN space against a trivially bypassed lockout policy of only 60 seconds per 10 attempts. Firmware version AC12G(EU)_V1_200909 ships with WPS 2.0 enabled by default, meaning no user reconfiguration is required to be vulnerable. Successful exploitation yields full confidentiality and integrity compromise of the wireless network (C:H/I:H), effectively granting the attacker LAN access. No public exploit code or CISA KEV listing has been identified at time of analysis; EPSS of 0.02% reflects low widespread exploitation probability but does not reduce risk for targeted home or small-office environments.

Technical ContextAI

Wi-Fi Protected Setup (WPS) PIN mode is susceptible to offline and online brute-force due to a structural flaw in the protocol: the 8-digit PIN is validated in two independent 4-digit halves, reducing the effective keyspace from 100 million to roughly 11,000 combinations. CWE-307 (Improper Restriction of Excessive Authentication Attempts) is the root cause - the router enforces only a 60-second lockout after 10 failed attempts, which is wholly inadequate to deter a paced brute-force attack. WPS 2.0 introduced some lockout improvements over WPS 1.0, but the specific policy implemented in this firmware (10 attempts / 60-second cooldown) still permits full PIN recovery within hours. The affected hardware is the Mercusys AC12G (EU) V1 running firmware AC12G(EU)_V1_200909; the NVD CPE entry (cpe:2.3:a:n/a:n/a:*:*:*:*:*:*:*:*) is uninformative and version scope is derived from the researcher advisory and description rather than a formal vendor CPE entry.

RemediationAI

The primary mitigation is to disable WPS entirely in the router's administrative interface if WPS functionality is not required - this eliminates the attack surface completely at the cost of losing push-button device onboarding convenience. Navigate to the router's wireless settings panel and toggle WPS off. If WPS must remain enabled, configure the strongest available lockout policy (increase lockout duration and reduce the attempt threshold if the firmware supports it), though the underlying WPS PIN design flaw means this is a compensating control, not a fix. No vendor-released patch has been identified at time of analysis; check Mercusys support pages for firmware updates to AC12G(EU)_V1 beyond the 200909 build date. The researcher advisory is available at https://github.com/Tymbark7372/MERCUSYS-AC12G/blob/master/advisories/CVE-2026-36612.md and the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-36612. As an additional layer, restricting physical proximity to the device's radio range (e.g., placing the router away from exterior walls) reduces the effective attack surface but is not a substitute for disabling WPS.

Share

CVE-2026-36612 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy