Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 is vulnerable to a HTTP denial of service via a low number of crafted incomplete HTTP requests, causing a persistent crash that requires physical power cycling to recover.
AnalysisAI
Persistent denial-of-service in the Mercusys AC12G (EU) V1 router running firmware AC12G(EU)_V1_200909 allows an unauthenticated adjacent-network attacker to crash the device by sending a low number of crafted, incomplete HTTP requests, rendering it unresponsive until physically power-cycled. The attack exploits uncontrolled resource consumption (CWE-400) in the router's HTTP service, which fails to safely handle malformed or truncated connections. No public exploit code or active exploitation has been identified at time of analysis, and SSVC signals confirm exploitation status as none.
Technical ContextAI
The vulnerability resides in the HTTP server component embedded in the Mercusys AC12G (EU) V1 router's firmware (AC12G(EU)_V1_200909). CWE-400 (Uncontrolled Resource Consumption) indicates the HTTP handler does not enforce limits on incomplete or stalled connections - likely holding sockets, threads, or memory allocations open without timeout or cleanup logic. A small number of such requests is sufficient to exhaust the available handler capacity, crashing the service and the device itself in a non-recoverable state (persistent crash requiring physical power cycling). The CVSS attack vector of Adjacent Network (AV:A) reflects that the router's HTTP management interface is typically reachable from LAN-side clients rather than the open internet, though guest networks or other adjacent segments may also provide access. CPE data provided (cpe:2.3:a:n/a:n/a) is non-informative and the specific product scope is established solely by the researcher advisory and MITRE report.
RemediationAI
No vendor-released patch has been identified at time of analysis; the only public reference is a researcher-published GitHub advisory, not a vendor security bulletin. Administrators should monitor the Mercusys official support portal for firmware updates addressing this issue and apply any released patch immediately. In the interim, a practical compensating control is to restrict access to the router's HTTP management interface to a specific trusted IP or MAC address using the router's built-in access control features, preventing arbitrary LAN-side clients from reaching the web interface - note this may limit remote administration convenience. Where possible, disabling the HTTP management interface entirely and relying solely on local console access reduces the attack surface, though this eliminates web-based management. Network segmentation to isolate untrusted LAN devices (e.g., IoT devices, guest clients) from reaching the router's management plane is the most broadly effective compensating measure. Physical access controls to facilitate rapid power cycling are advisable for devices in unattended deployments where recovery time is a concern.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34144
GHSA-j2fc-v5xj-h5gr