Severity by source
AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 contains hardcoded WiFi driver credentials including a RADIUS shared secret, WPS test key, and default PSK embedded in the production firmware binary.
AnalysisAI
Hardcoded WiFi driver credentials embedded in Mercusys AC12G (EU) V1 production firmware (AC12G(EU)_V1_200909) expose a RADIUS shared secret, a WPS test key, and a default PSK that cannot be changed by end users. An attacker within radio/adjacent-network range who has extracted and reverse-engineered the firmware binary can recover these static credentials and use them to authenticate against the router's wireless infrastructure without possessing legitimate user credentials. No public exploit code is confirmed beyond the researcher's advisory, and no active exploitation is indicated - EPSS sits at 0.02% (5th percentile), consistent with a niche, hardware-specific finding.
Technical ContextAI
CWE-798 (Use of Hard-coded Credentials) describes the root cause: credentials baked into the production binary that cannot be rotated without a firmware replacement. Three credential types are affected: (1) a RADIUS shared secret used in 802.1X enterprise authentication handshakes, (2) a WPS (Wi-Fi Protected Setup) test key left over from development or factory testing, and (3) a default Pre-Shared Key (PSK) embedded in the WiFi driver layer. Because these values live inside the driver binary rather than a user-accessible configuration store, normal credential-rotation procedures (changing the admin password, resetting the router) do not remediate the exposure. The affected product is specifically identified as Mercusys AC12G (EU) V1 running firmware AC12G(EU)_V1_200909; CPE data provided is generic (cpe:2.3:a:n/a:n/a) and offers no additional precision beyond the researcher's disclosure.
RemediationAI
No vendor-released patch has been identified at time of analysis - Mercusys (a TP-Link sub-brand) has not published an advisory or updated firmware version through any confirmed channel. The primary compensating control is to disable WPS entirely on the router administration interface, which neutralizes the WPS test key exposure and closes one of the three credential vectors; note that disabling WPS may prevent WPS-dependent client onboarding. If the router is deployed in a WPA2-Enterprise (RADIUS) environment, the RADIUS shared secret should be treated as compromised and the upstream RADIUS server should be reconfigured to reject authentications using the known hardcoded value - this requires identifying the exact secret via firmware extraction (documented in the researcher advisory). The default PSK exposure is partially mitigated by configuring a custom SSID passphrase through the admin interface, though it is unknown whether this overrides the hardcoded driver-level value or operates independently. Replacing the device with a model that does not carry the affected firmware is the most decisive remediation. Monitor the researcher's GitHub repository (https://github.com/Tymbark7372/MERCUSYS-AC12G) and Mercusys support channels for firmware updates.
Same weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34154
GHSA-4wqr-74mq-rfw2