Skip to main content

Mercusys AC12G CVE-2026-36616

| EUVDEUVD-2026-34154 MEDIUM
Use of Hard-coded Credentials (CWE-798)
2026-06-03 mitre GHSA-4wqr-74mq-rfw2
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 04, 2026 - 14:25 vuln.today
CVSS changed
Jun 04, 2026 - 14:22 NVD
5.9 (MEDIUM)
CVE Published
Jun 03, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 contains hardcoded WiFi driver credentials including a RADIUS shared secret, WPS test key, and default PSK embedded in the production firmware binary.

AnalysisAI

Hardcoded WiFi driver credentials embedded in Mercusys AC12G (EU) V1 production firmware (AC12G(EU)_V1_200909) expose a RADIUS shared secret, a WPS test key, and a default PSK that cannot be changed by end users. An attacker within radio/adjacent-network range who has extracted and reverse-engineered the firmware binary can recover these static credentials and use them to authenticate against the router's wireless infrastructure without possessing legitimate user credentials. No public exploit code is confirmed beyond the researcher's advisory, and no active exploitation is indicated - EPSS sits at 0.02% (5th percentile), consistent with a niche, hardware-specific finding.

Technical ContextAI

CWE-798 (Use of Hard-coded Credentials) describes the root cause: credentials baked into the production binary that cannot be rotated without a firmware replacement. Three credential types are affected: (1) a RADIUS shared secret used in 802.1X enterprise authentication handshakes, (2) a WPS (Wi-Fi Protected Setup) test key left over from development or factory testing, and (3) a default Pre-Shared Key (PSK) embedded in the WiFi driver layer. Because these values live inside the driver binary rather than a user-accessible configuration store, normal credential-rotation procedures (changing the admin password, resetting the router) do not remediate the exposure. The affected product is specifically identified as Mercusys AC12G (EU) V1 running firmware AC12G(EU)_V1_200909; CPE data provided is generic (cpe:2.3:a:n/a:n/a) and offers no additional precision beyond the researcher's disclosure.

RemediationAI

No vendor-released patch has been identified at time of analysis - Mercusys (a TP-Link sub-brand) has not published an advisory or updated firmware version through any confirmed channel. The primary compensating control is to disable WPS entirely on the router administration interface, which neutralizes the WPS test key exposure and closes one of the three credential vectors; note that disabling WPS may prevent WPS-dependent client onboarding. If the router is deployed in a WPA2-Enterprise (RADIUS) environment, the RADIUS shared secret should be treated as compromised and the upstream RADIUS server should be reconfigured to reject authentications using the known hardcoded value - this requires identifying the exact secret via firmware extraction (documented in the researcher advisory). The default PSK exposure is partially mitigated by configuring a custom SSID passphrase through the admin interface, though it is unknown whether this overrides the hardcoded driver-level value or operates independently. Replacing the device with a model that does not carry the affected firmware is the most decisive remediation. Monitor the researcher's GitHub repository (https://github.com/Tymbark7372/MERCUSYS-AC12G) and Mercusys support channels for firmware updates.

Share

CVE-2026-36616 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy