CVE-2026-36605: Mercusys AC12G Router HTTP Denial of Service Vulnerability
Mercusys AC12G (EU) V1 routers running firmware version AC12G(EU)_V1_200909 contain a denial-of-service vulnerability where an attacker on the local network can send a small number of specially crafted incomplete HTTP requests to crash the router. The device becomes unresponsive and requires a physical power cycle to restore function. This affects network availability for all connected devices.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-400
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 is vulnerable to a HTTP denial of service via a low number of crafted incomplete HTTP requests, causing a persistent crash that requires physical power cycling to recover.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-36605 is an HTTP denial-of-service vulnerability in the Mercusys AC12G (EU) V1 router's HTTP request handling. The vulnerability stems from improper input validation in HTTP request processing (CWE-400: Uncontrolled Resource Consumption), allowing an attacker with local network access to send crafted incomplete HTTP requests that trigger a crash. The router firmware AC12G(EU)_V1_200909 fails to gracefully handle malformed requests, causing the HTTP service to crash in a way that persists until physical power cycling. The attack requires minimal technical sophistication—only network access and knowledge of the router's HTTP interface.
Business impact
Disruption of network connectivity affects all devices dependent on the router, potentially impacting productivity, remote access capabilities, and business continuity. Recovery requires manual intervention (physical power cycling), creating operational overhead. For small offices or home networks relying on this device, downtime can be significant. Repeated attacks create a denial-of-service condition that degrades user experience and trust in network infrastructure.
Affected systems
Mercusys AC12G (EU) V1 router with firmware version AC12G(EU)_V1_200909 is confirmed vulnerable. Other firmware versions of this model and regional variants have not been explicitly confirmed affected by this disclosure; verify with Mercusys documentation whether other versions are in scope. Mercusys AC-series routers in other regions or models may have similar vulnerabilities but should not be assumed affected without verification.
Exploitability
Exploitability is straightforward but requires local network access (AV:A). An attacker already on the network—via compromised device, rogue access point, or insider position—can trigger the crash. No authentication is needed, and the attack is reliable with low complexity. The barrier to exploitation is network proximity rather than technical skill, making this a practical concern for environments with untrusted or guest network segments. No public exploit code is known to be widely circulating, but the attack is conceptually simple.
Remediation
Update the Mercusys AC12G (EU) V1 router firmware to a patched version released after AC12G(EU)_V1_200909. Check the Mercusys support portal or contact their support team for the latest stable firmware build for this model and region. Verify the patch version against official Mercusys advisories before deployment. Until patching is possible, segment untrusted devices from the network and restrict physical access to the router's management interface.
Patch guidance
Visit the official Mercusys support website and locate the AC12G (EU) V1 product page to download the latest firmware release. Confirm the firmware version number to ensure it is newer than AC12G(EU)_V1_200909. Follow Mercusys's documented firmware update procedure, typically accessible via the router's web interface or management console. Test the update on a non-production router if possible. After applying the patch, verify that the router responds to HTTP requests without crashing and that network connectivity is restored.
Detection guidance
Monitor router logs and HTTP request patterns for repeated incomplete or malformed HTTP requests arriving in quick succession. Network intrusion detection systems (IDS) may flag multiple failed HTTP handshakes or truncated requests directed at the router's management interface (typically port 80 or 443). Review router uptime logs to identify unexpected restarts or extended downtime that could indicate crash events. Implement network segmentation to restrict which devices can directly communicate with the router's HTTP interface, reducing attack surface.
Why prioritize this
Although the CVSS score of 6.5 (MEDIUM) reflects limited scope and the availability impact, the practical effect is total network outage for a small office or home user. Recovery requires manual intervention, making this operationally disruptive. The attack is simple to execute from the local network. Organizations should prioritize patching this vulnerability if they deploy Mercusys AC12G (EU) V1 routers, especially in critical or always-on network segments. However, the requirement for local network access reduces urgency compared to remotely exploitable vulnerabilities.
Risk score, explained
CVSS 3.1 score of 6.5 reflects: Attack Vector (AV:A) requiring local network access, Attack Complexity (AC:L) as low, no Privileges Required (PR:N), no User Interaction (UI:N), scope unchanged (S:U), and high Availability impact (A:H). The medium severity rating appropriately captures a serious but localized threat. Real-world risk depends on network topology, whether untrusted devices have local access, and the criticality of the affected router to operations.
Frequently asked questions
Can this vulnerability be exploited remotely over the internet?
No. The vulnerability requires local network access (AV:A), meaning the attacker must be on the same local network segment as the router. It cannot be triggered from the internet without first compromising a device on the internal network.
Will updating the firmware to a newer version fix this issue?
Yes, provided the new firmware version is released after and explicitly addresses this vulnerability. Always verify against official Mercusys release notes that the patched version resolves CVE-2026-36605 before deployment.
What happens if the router crashes repeatedly?
Each crash requires manual power cycling to restore function. Repeated crashes create a persistent denial-of-service condition. Applying the patch is essential to prevent recurrence. If patching is delayed, restrict network access to the router's HTTP interface using firewall rules or network segmentation.
Does this affect routers in other regions or the non-EU version of AC12G?
This advisory specifically confirms CVE-2026-36605 in the EU variant with firmware AC12G(EU)_V1_200909. Other regional variants or hardware versions have not been confirmed affected. Check Mercusys documentation or contact support to determine if your specific model and firmware version are vulnerable.
This analysis is provided for informational purposes and represents SEC.co's interpretation of publicly disclosed vulnerability information as of the publication date. The vulnerability details, affected firmware versions, and remediation guidance are based on vendor disclosures and technical assessment. Organizations should independently verify patch availability and compatibility with their environment before deployment. SEC.co makes no warranty regarding the completeness or accuracy of this assessment and disclaims liability for damages arising from its use or reliance. Always consult official Mercusys advisories and conduct testing in non-production environments before applying security updates to production infrastructure. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2019-25721MEDIUMDräger Infinity M300 Denial-of-Service Vulnerability – Network-Induced Device Reboots
- CVE-2019-25724MEDIUMDräger Infinity M300 Denial-of-Service Vulnerability Impact on Patient Monitoring
- CVE-2025-48648MEDIUMAndroid NotificationManagerService Resource Exhaustion DoS
- CVE-2026-0042MEDIUMAndroid UBSan Resource Exhaustion Denial of Service
- CVE-2026-0069MEDIUMAndroid Resource Exhaustion in APK Signature Verification
- CVE-2026-0074MEDIUMAndroid LauncherProcessImageListener Denial of Service Vulnerability
- CVE-2026-10156MEDIUMOpen5GS Resource Exhaustion Vulnerability in nf-instances Endpoint
- CVE-2026-10224MEDIUMNousResearch hermes-agent Webhook Resource Exhaustion Vulnerability