CVE-2026-36607: Mercusys AC12G Router Brute-Force Vulnerability – Rate Limiting Bypass
A vulnerability in Mercusys AC12G (EU) V1 routers allows attackers on the same local network to repeatedly guess the administrator password without limit. Unlike the normal login interface which enforces rate limiting, the password change feature in the router's management protocol accepts unlimited guesses, giving attackers a straightforward path to full administrative access.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-307
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 allows unauthenticated brute-force attacks via the TDDP password change endpoint (code=10), which lacks the rate limiting applied to the login endpoint (code=7). An attacker on the adjacent network can attempt unlimited passwords without triggering account lockout.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-36607 is a brute-force vulnerability affecting the Mercusys AC12G (EU) V1 router running firmware version AC12G(EU)_V1_200909. The vulnerability exists in the TDDP (Mercusys proprietary protocol) password change endpoint (code=10), which lacks the rate-limiting protections implemented on the standard login endpoint (code=7). An unauthenticated attacker with network-adjacent access can submit unlimited password attempts against this endpoint without triggering account lockout or delays, effectively bypassing the rate-limiting safeguards present elsewhere in the application. This maps to CWE-307 (Improper Restriction of Rendered UI Layers or Frames), which encompasses insufficient protection of sensitive operations from brute-force attack.
Business impact
Compromise of a home or small office router grants an attacker complete control over network traffic, enabling credential harvesting, malware injection, man-in-the-middle attacks, and network reconnaissance. For small businesses or home offices relying on this router for network perimeter security, successful exploitation results in loss of confidentiality, integrity, and availability. Device management, firmware update mechanisms, and DHCP/DNS configuration all become attacker-controllable, creating a persistent foothold for lateral movement or data exfiltration.
Affected systems
Mercusys AC12G (EU) V1 routers running firmware AC12G(EU)_V1_200909 are confirmed affected. The vulnerability is specific to this model and firmware version; other Mercusys router models or updated firmware versions may not be affected. Mercusys (a TP-Link sub-brand) users should verify their exact model designation and firmware build against the vendor advisory to confirm exposure.
Exploitability
Exploitability is high. The attack requires only network-adjacent access (same LAN or adjacent network segment) and no authentication. Attackers can craft TDDP protocol packets with password change requests and iterate through credential combinations at will. The lack of rate limiting means the attack can be automated with standard tooling. An attacker need not wait between attempts or worry about lockout, making password brute-force practical even against reasonably complex passwords given sufficient time. No special privileges or user interaction are required.
Remediation
Update the router firmware to the patched version released by Mercusys. Consult the official Mercusys support page for AC12G (EU) V1 to obtain the corrected firmware build. As an interim mitigation, segment the router's management interface to a restricted network, disable remote management features if not required, and consider deploying network-level access controls to limit which hosts can reach the TDDP management port. Change the administrator password to a strong, unique credential after patching.
Patch guidance
Verify the availability of a patched firmware release from Mercusys for the AC12G (EU) V1 model against the official vendor advisory. Apply firmware updates through the router's web interface (System Tools > Firmware Upgrade) or via the Mercusys firmware download page, ensuring the device does not lose power during the update process. After a successful update, log in and verify that the firmware version has advanced beyond AC12G(EU)_V1_200909. Test password change functionality to confirm rate limiting is now in place.
Detection guidance
Monitor network traffic for repeated TDDP protocol packets (typically UDP port 1040) originating from suspicious sources and targeting the TDDP endpoint code=10 (password change). Firewall and IDS logs may capture automated password-guessing attempts as a pattern of requests with increasing or varying password payloads. Check router logs (if retained) for failed authentication or configuration change attempts. Network segmentation and monitoring of management protocol traffic can highlight unauthorized access attempts before successful compromise.
Why prioritize this
This vulnerability merits rapid patching due to its combination of high CVSS score (8.8), lack of authentication requirement, local network accessibility, and potential for complete device compromise. Small office and home network users may not monitor router activity closely, allowing attackers to establish persistent access. The straightforward nature of the attack—simple brute-force without exploitation complexity—means attackers with basic networking knowledge can weaponize it quickly.
Risk score, explained
The CVSS 3.1 score of 8.8 (HIGH) reflects high impact across confidentiality, integrity, and availability (C:H, I:H, A:H), minimal attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and network-adjacent attack surface (AV:A). The lack of scope change (S:U) prevents the score from reaching critical, but the combination of complete device takeover capability and the straightforward brute-force path justifies the high rating.
Frequently asked questions
Does this vulnerability affect other Mercusys router models?
The vulnerability is confirmed for Mercusys AC12G (EU) V1 with the specified firmware version. Other Mercusys models may have different implementations of their management protocols. Consult the vendor advisory to determine which products are in scope. Users of other Mercusys routers should check their model and firmware against official advisories.
Can this be exploited over the internet?
No. The vulnerability requires network-adjacent access (shared LAN segment or local network). Internet-based attacks are not possible unless an attacker has already compromised a device on the target network or established another path to the local subnet.
Is there a workaround if I cannot patch immediately?
Interim protections include disabling the router's remote management features, restricting access to the management interface via firewall rules, physically isolating the router to a trusted network segment, and enabling any available authentication enforcement on the TDDP protocol if the firmware offers such options. However, these are temporary measures; patching is the definitive fix.
Why does the password change endpoint have weaker protections than the login endpoint?
This is a design flaw in the router's firmware. The developers likely overlooked the need to apply rate-limiting uniformly across all administrative endpoints, treating the password change feature as lower-risk than login. In reality, both functions should enforce identical or equivalent protections to prevent brute-force attacks on sensitive operations.
This analysis is based on the publicly disclosed CVE-2026-36607 details and does not constitute legal or professional security advice. Organizations should independently verify the applicability of this vulnerability to their environment and consult official Mercusys advisories for authoritative guidance on affected products and remediation timelines. SEC.co assumes no liability for decisions made based on this intelligence. Testing or exploitation of this vulnerability without explicit authorization is illegal. All patch versions and remediation steps should be verified against the vendor's official documentation before implementation. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-35675HIGHphpMyFAQ Password Reset Authentication Bypass – Account Takeover
- CVE-2026-10216LOWWeak Authentication Rate-Limiting in unitedbyai Droidclaw
- CVE-2026-36612MEDIUMMercusys AC12G Weak WPS Lockout Policy Enables Router Compromise
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25383HIGHFree MP3 CD Ripper 2.8 Stack Overflow – ROP and DEP Bypass Risk
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25388HIGHHaPe PKH 1.1 Arbitrary File Upload Vulnerability (CVSS 8.8)