Skip to main content

Mercusys AC12G CVE-2026-36615

| EUVDEUVD-2026-34153 MEDIUM
Information Exposure (CWE-200)
2026-06-03 mitre GHSA-9v66-826q-jx8j
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 03, 2026 - 20:36 vuln.today
CVSS changed
Jun 03, 2026 - 19:22 NVD
4.3 (MEDIUM)
CVE Published
Jun 03, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 exposes an undocumented /agileconfigreset endpoint that returns internal buffer contents to unauthenticated attackers on the adjacent network.

AnalysisAI

Unauthenticated information disclosure in the Mercusys AC12G (EU) V1 router allows any attacker on the adjacent network to retrieve internal buffer contents by querying an undocumented /agileconfigreset HTTP endpoint, confirmed for firmware version AC12G(EU)_V1_200909. The CVSS vector (AV:A/AC:L/PR:N/UI:N) confirms no authentication or user interaction is required, though exploitation is bounded to the local network segment rather than the internet. No public exploit has been identified at time of analysis, and no vendor patch has been confirmed.

Technical ContextAI

The Mercusys AC12G is a consumer-grade 802.11ac Wi-Fi router manufactured by Mercusys (a TP-Link subsidiary). The vulnerability resides in the router's embedded HTTP management interface firmware, which exposes an undocumented endpoint /agileconfigreset that returns raw internal buffer contents when accessed. CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) identifies the root cause: the firmware includes a debug or legacy endpoint that was never removed or access-controlled before production release. The CVSS attack vector AV:A (Adjacent Network) confirms the attacker must share the same broadcast domain - LAN-connected or Wi-Fi-associated - as the device. CPE data in the provided intelligence is non-specific (cpe:2.3:a:n/a:n/a), limiting authoritative version scoping to what the researcher advisory directly reports.

RemediationAI

No vendor-released patch has been identified at time of analysis - Mercusys has not published a remediation advisory in the provided reference set. Monitor the researcher advisory at https://github.com/Tymbark7372/MERCUSYS-AC12G/blob/master/advisories/CVE-2026-36615.md and the Mercusys/TP-Link firmware portal for updates to AC12G(EU)_V1 firmware beyond version AC12G(EU)_V1_200909. As a compensating control, segment untrusted devices (guests, IoT) onto a separate VLAN or SSID that does not share a broadcast domain with the router's LAN management IP, directly preventing adjacent-network access from untrusted parties - though this requires a managed switch or secondary AP and may not be feasible on the AC12G itself. Disabling the router's web management interface from the wireless interface (if the firmware permits interface binding) would reduce exposure, but this capability is unconfirmed for this model. Do not expose the router's management interface to the internet via port forwarding.

Share

CVE-2026-36615 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy