HIGH 7.3

CVE-2026-36609: Mercusys AC12G Static Nonce Authentication Bypass & Password Recovery

A vulnerability in Mercusys AC12G (EU) V1 routers with firmware version AC12G(EU)_V1_200909 allows attackers on the network to recover administrator passwords. The router uses a static authentication nonce (a security token) that remains the same for requests from the same IP address, and combines this with weak password encoding. An attacker who captures authentication traffic can reverse-engineer the encoding to extract plaintext credentials, potentially gaining full administrative control of the router.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-327, CWE-341
Affected products
0 configuration(s)
Published / Modified
2026-06-03 / 2026-06-17

NVD description (verbatim)

Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 uses a static authentication nonce that does not change between requests from the same source IP. Combined with the predictable XOR-based password encoding (securityEncode function), this allows an attacker to reverse captured authentication tokens to recover the plaintext password.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-36609 stems from two compounding weaknesses in the AC12G router's authentication mechanism. First, the authentication nonce—a value designed to be unique and unpredictable per request—is static per source IP, violating cryptographic randomness principles (CWE-341). Second, the securityEncode function implements a predictable XOR-based cipher rather than authenticated encryption, allowing deterministic password recovery when the nonce and ciphertext are known. An attacker positioned to observe network traffic or with local network access can capture authentication frames, recover the nonce from predictable patterns, and apply XOR decryption to extract the plaintext administrative password. This is a pre-authentication attack requiring no valid credentials to begin reconnaissance.

Business impact

Compromise of a Mercusys AC12G router grants attackers control over network access, DNS settings, firmware updates, and traffic interception capabilities. For residential and small business deployments, this can lead to man-in-the-middle attacks, malware injection, credential harvesting from connected devices, and persistent backdoor installation. Organizations using these routers for branch office or remote site connectivity face risk of lateral movement into corporate networks. The ease of exploitation and lack of authentication requirements elevate the practical risk significantly beyond the CVSS base score alone.

Affected systems

Mercusys AC12G (EU) V1 routers running firmware AC12G(EU)_V1_200909 are confirmed vulnerable. Mercusys is a TP-Link subsidiary; other regional variants (US, Asia, etc.) and firmware versions require independent verification against the vendor advisory. Models with different hardware versions or firmware builds may have differing vulnerability status. Organizations should check serial numbers and firmware version strings on deployed units to determine exposure.

Exploitability

Exploitability is high. The attack requires no authentication, no user interaction, and no advanced exploitation techniques—only the ability to capture network traffic or access the LAN segment. An attacker with basic packet capture tools can obtain the necessary data in minutes. The predictable XOR cipher means no brute force or advanced cryptanalysis is needed. Network-adjacent attackers (malware on a connected device, rogue WiFi access point, or ARP spoofing) can easily harvest credentials. Public tooling to automate credential extraction is likely to emerge once widespread awareness increases.

Remediation

Mercusys should issue a firmware patch implementing: (1) cryptographically random, per-request nonce generation; (2) replacement of XOR encoding with authenticated encryption (e.g., AES-GCM); (3) optional rate limiting or lockout on repeated authentication failures. Organizations should immediately check for and apply any available firmware updates from Mercusys. Until patched, consider restricting router web interface access to trusted IP ranges, disabling remote management, and enforcing strong administrative passwords. Network segmentation to isolate router management traffic is a compensating control.

Patch guidance

Check the Mercusys support website and your router's firmware update interface for a patched version of AC12G(EU)_V1 firmware released after June 2026. Firmware updates are typically applied via the web interface under Administration > System Tools > Firmware Upgrade. After any update, verify the new firmware version in the System Settings page and power-cycle the router. If no patch is available from Mercusys for your specific regional variant, consider replacement with a router from a vendor with active security support and more robust authentication practices. Document the firmware version prior to and after patching for audit trails.

Detection guidance

Monitor router authentication logs (if available via web interface or syslog export) for multiple failed login attempts from the same or varying source IPs—a sign of password recovery attempts. On the network, detect potential exploitation by monitoring for repeated authentication requests from a single source IP within short time windows, or traffic patterns consistent with packet capture on the LAN segment. Intrusion detection signatures should flag XOR-encoded authentication payloads if the structure is known. Endpoint detection should alert on tools commonly used for packet capture (tcpdump, Wireshark) running on connected devices without authorization. Check router access logs after a security incident for suspicious login timestamps or changes to DNS, DHCP, or firewall rules that occurred without authorization.

Why prioritize this

Despite a CVSS score of 7.3 (HIGH), this vulnerability merits urgent prioritization due to pre-authentication exploitability, ease of attack, and high business impact. The router is a critical network chokepoint; compromise is equivalent to an attacker standing on your network perimeter. Residential and SOHO deployments often lack monitoring and may remain unpatched for extended periods, increasing risk window. Organizations should prioritize patching or isolating affected AC12G routers within 2–4 weeks.

Risk score, explained

The CVSS 3.1 score of 7.3 reflects Attack Vector: Network (exploitable remotely or from adjacent networks), Attack Complexity: Low (no special conditions needed), Privileges Required: None (no auth needed), User Interaction: None (no social engineering), Scope: Unchanged, and confidentiality/integrity/availability impact of Low each. This conservative rating does not fully capture the cascading impact of router compromise (widespread network access, lateral movement potential, data interception). Real-world risk to most organizations may be higher, especially if the router is internet-facing or holds sensitive network responsibilities.

Frequently asked questions

Is my router vulnerable if I have a different firmware version?

Only AC12G(EU)_V1_200909 firmware is confirmed vulnerable. Other versions and regional variants (US, Asia, AU) require verification against the official Mercusys advisory or changelog. Check your firmware version in the router web interface under System Settings or Administration. If uncertain, contact Mercusys support with your model and serial number.

Can I work around this without a firmware update?

Yes, partially. Disable remote management (disable WAN access to the web interface), restrict the web interface to a static trusted IP range using firewall rules, and enforce a very strong, unique administrative password. Segment your router management traffic on a separate VLAN if your network architecture supports it. However, these are temporary measures; patching is essential.

Does this vulnerability affect my WiFi encryption (WPA2/WPA3)?

No. This vulnerability is specific to router administrative authentication, not WiFi data encryption. Your WiFi security settings are independent. However, an attacker who gains router credentials can modify WiFi settings or insert themselves into network traffic, compromising connected devices.

What should I do if my router is internet-facing?

Immediately verify your firmware version and apply any available patches. In the interim, disable remote management from the WAN side in the router's administration panel. If you require remote access, consider using a VPN to the router rather than direct web interface exposure. Audit router access logs for suspicious login activity. If patching is unavailable for your variant, strongly consider replacing the router with an actively maintained model.

This analysis is based on CVE-2026-36609 as published and available information current as of the analysis date. Specific patch availability, detailed remediation steps, and confirmation of vulnerability presence in other Mercusys models or regional variants should be verified directly with Mercusys official advisories and support channels. This assessment does not constitute a guarantee of complete vulnerability elimination and is provided for informational and risk prioritization purposes. Organizations should conduct their own testing and validation in non-production environments prior to deploying patches or configuration changes. SEC.co assumes no liability for patching outcomes or residual security gaps. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).