Skip to main content

Mercusys AC12G EUVDEUVD-2026-34149

| CVE-2026-36610 MEDIUM
Cleartext Transmission of Sensitive Information (CWE-319)
2026-06-03 mitre GHSA-f7vm-g3rr-mf92
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 03, 2026 - 22:22 vuln.today
CVSS changed
Jun 03, 2026 - 22:22 NVD
5.9 (MEDIUM)
CVE Published
Jun 03, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 transmits DDNS credentials over plaintext HTTP with only Base64 encoding. The firmware contains no TLS implementation, allowing man-in-the-middle interception of DDNS service credentials.

AnalysisAI

Cleartext credential exposure in the Mercusys AC12G (EU) V1 router (firmware AC12G(EU)_V1_200909) allows a network-positioned attacker to intercept DDNS service credentials in transit. The firmware transmits DDNS credentials over plaintext HTTP with only Base64 encoding - an encoding scheme, not encryption - and contains no TLS implementation whatsoever. A successful man-in-the-middle interception results in full credential disclosure (C:H), enabling an attacker to hijack the associated DDNS hostname and redirect domain traffic. No public exploit identified at time of analysis, and this CVE is not listed in CISA KEV.

Technical ContextAI

CWE-319 (Cleartext Transmission of Sensitive Information) describes the root cause: the firmware sends sensitive data over an unencrypted channel. Base64 encoding is a reversible data-encoding scheme - not a cryptographic primitive - and provides zero confidentiality protection; any intercepted payload can be decoded instantly with standard tooling. The absence of any TLS implementation in the firmware is a design-level omission, not a misconfiguration, meaning there is no software toggle or setting that can enable encryption without a firmware replacement. The affected device is Mercusys AC12G (EU) V1 running firmware AC12G(EU)_V1_200909. NVD CPE data is recorded as n/a, which limits automated asset-inventory tooling; affected product identity is confirmed by the researcher advisory rather than NVD CPE strings.

RemediationAI

No vendor-released patch has been identified at time of analysis. The primary remediation action is to disable DDNS functionality on the Mercusys AC12G if it is not operationally required, eliminating the credential transmission entirely - this is the most effective compensating control and carries no functional trade-off for deployments not relying on dynamic DNS. If DDNS is required, traffic from the router to the DDNS service endpoint should be tunneled through an encrypted VPN at the network layer, though this requires additional infrastructure and may not be feasible in all SOHO environments. Restricting LAN-side access to devices that could perform ARP poisoning reduces MITM risk on the local segment but does not protect against ISP-level interception. Firmware upgrades from Mercusys should be monitored via the vendor's support portal; the researcher advisory is available at https://github.com/Tymbark7372/MERCUSYS-AC12G/blob/master/advisories/CVE-2026-36610.md and the NVD record is at https://nvd.nist.gov/vuln/detail/CVE-2026-36610.

Share

EUVD-2026-34149 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy