CVE-2026-36610: Mercusys AC12G EU Plaintext DDNS Credential Disclosure
Mercusys AC12G (EU) V1 routers with firmware version AC12G(EU)_V1_200909 transmit Dynamic DNS (DDNS) credentials using only Base64 encoding over unencrypted HTTP connections. Base64 is not encryption—it's merely encoding and can be trivially decoded by anyone observing network traffic. Because the firmware lacks TLS/SSL support entirely, an attacker positioned on the network path can intercept and recover DDNS service credentials, potentially compromising the domain name update service tied to the affected router.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.9 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-319, CWE-523
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 transmits DDNS credentials over plaintext HTTP with only Base64 encoding. The firmware contains no TLS implementation, allowing man-in-the-middle interception of DDNS service credentials.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from two critical design flaws: (1) absence of TLS implementation in the firmware, forcing all DDNS communication over plaintext HTTP, and (2) reliance on Base64 encoding as a security mechanism instead of cryptographic encryption. When the router communicates DDNS credentials to update the dynamic DNS service, an attacker performing a man-in-the-middle (MITM) attack can capture the HTTP traffic, decode the Base64-encoded credentials in seconds, and obtain valid DDNS service credentials. The attack requires network-adjacent positioning (e.g., on the same LAN, compromised ISP infrastructure, or a rogue access point) but does not require user interaction or authentication bypass.
Business impact
Compromise of DDNS credentials allows an attacker to hijack the router's domain name service, redirecting legitimate users attempting to connect to the organization's remote resources to attacker-controlled infrastructure. This enables phishing, credential harvesting, malware distribution, and service impersonation. Organizations relying on dynamic DNS for remote access, IoT management, or failover scenarios face service disruption and potential loss of customer trust. The attack is especially problematic in environments where the router serves as a critical access point for geographically distributed operations.
Affected systems
The vulnerability is specific to Mercusys AC12G (EU) V1 routers running firmware version AC12G(EU)_V1_200909. Mercusys is TP-Link's sub-brand targeting budget-conscious markets, primarily in Europe. The affected hardware revision and firmware are limited in scope, but organizations managing multiple branch or retail locations using this router model should conduct an inventory audit. Verify the exact firmware version on affected devices; the vendor advisory will clarify whether later firmware versions or hardware revisions address this flaw.
Exploitability
The attack has moderate exploitability constraints. An attacker must be on the network path (CVSS Attack Vector: Network, but Attack Complexity: High reflects the requirement for MITM positioning). No user interaction, authentication, or privileges are required. The attacker does not gain system-level access or cause availability loss, but achieves high confidentiality impact (credential disclosure). This is practical in scenarios where an attacker controls network infrastructure or has compromised a device on the LAN, making it a realistic threat in managed corporate environments and public WiFi settings where the router might be deployed.
Remediation
Primary remediation is firmware update. Contact Mercusys support or consult the product advisory to identify a patched firmware version that (1) implements TLS/SSL for DDNS communication and (2) removes reliance on Base64 encoding as a security mechanism. Organizations unable to patch immediately should consider disabling DDNS functionality if operationally feasible, restricting the router to trusted networks only, or implementing network segmentation to reduce MITM attack surface. Audit DDNS service logs and credentials for unauthorized changes or access.
Patch guidance
Check the Mercusys support portal or your vendor advisory for firmware versions released after AC12G(EU)_V1_200909. Firmware updates for consumer networking equipment are typically applied via the router's web interface (Administration > Firmware Upgrade) or CLI tools. Test the update in a non-production environment first if the router is business-critical. After patching, verify that DDNS configuration persists and that DDNS updates are now transmitted over HTTPS. Review router logs to ensure no DDNS sync failures occur post-update.
Detection guidance
Monitor network traffic for unencrypted HTTP connections from the router to known DDNS service providers (e.g., dyndns.com, no-ip.com). Use packet capture or network flow analysis to identify Base64-encoded credential patterns in HTTP POST bodies. Endpoint detection and response (EDR) tools running on devices on the same network segment may flag Base64-encoded credential strings in network logs. Set up alerts for anomalous DDNS updates or failed authentication attempts on the DDNS service provider's side. Check router access logs for configuration changes, particularly to DDNS settings.
Why prioritize this
While the CVSS score of 5.9 (Medium) reflects the requirement for MITM positioning, the impact is significant: successful exploitation results in credential compromise and potential service hijacking. Prioritize patching if (1) the router is internet-facing or accessible from untrusted networks, (2) DDNS is actively used for critical services, or (3) the device is in a high-risk environment (multi-tenant, public WiFi hotspot, or branch office). For isolated corporate network deployments or non-critical branch routers, prioritize after other high-severity vulnerabilities but before Q2 end-of-quarter security reviews.
Risk score, explained
The CVSS 3.1 score of 5.9 reflects: Attack Vector (Network) and no privilege requirement indicate broad potential reach; Attack Complexity (High) accounts for the practical need for MITM positioning; Confidentiality (High) reflects full exposure of DDNS credentials; Integrity and Availability are unaffected. The score appropriately captures a credential disclosure vulnerability with environmental constraints. Real-world risk is elevated in scenarios where network MITM is feasible (enterprise WiFi, ISP-controlled paths) or where DDNS controls critical service availability.
Frequently asked questions
Does this vulnerability allow remote code execution or system compromise?
No. The vulnerability is limited to confidentiality impact—specifically, disclosure of DDNS service credentials. An attacker cannot execute code on the router, modify its configuration remotely (beyond hijacking the DDNS domain), or cause service outages directly. However, compromised DDNS credentials enable downstream attacks such as domain hijacking, phishing, and malware distribution.
Do all Mercusys AC12G models have this issue, or only the EU V1?
The vulnerability is specific to AC12G (EU) V1 with firmware AC12G(EU)_V1_200909. Other regional variants, hardware revisions, or later firmware versions may not be affected. Consult your device's firmware version (visible in the router's web interface) and Mercusys' advisory to confirm applicability to your inventory.
What should I do if I cannot patch immediately?
Disable DDNS functionality if not operationally critical. If DDNS is required, consider restricting the router to networks you control and implementing network segmentation to limit MITM exposure. Monitor DDNS logs and credentials for unauthorized changes. Prioritize patching within 30–60 days or transition to a router with proper TLS support.
How can I verify the router is no longer vulnerable after patching?
After firmware update, inspect network traffic using a packet analyzer (Wireshark) while the router performs a DDNS update. Verify that DDNS communication is encrypted (HTTPS, TLS handshake visible) rather than plaintext HTTP. Check the router firmware version to confirm it is newer than AC12G(EU)_V1_200909. Test DDNS functionality end-to-end to ensure the update process did not introduce configuration loss.
This analysis is provided for informational purposes to support vulnerability management and security decision-making. The information is derived from the CVE record and vendor advisories as of the publication date and is subject to change. Verify all findings, patch availability, and affected product versions directly with Mercusys and applicable vendor advisories before taking action. SEC.co makes no warranty regarding the completeness or accuracy of this analysis. Organizations should conduct internal testing and risk assessment before deploying patches or remediations in production environments. This content does not constitute legal or professional security advice; consult your security team or a qualified professional for guidance specific to your environment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2023-52951MEDIUMSynology Note Station Client Cleartext Credential Transmission Vulnerability
- CVE-2026-10584MEDIUMGraph Explorer HTTPS Fallback to HTTP Vulnerability
- CVE-2026-25599MEDIUMOrca Heat Pump Unauthenticated HTTP and Stored XSS Vulnerability
- CVE-2026-43625MEDIUMCodexBar Session Cookie Leakage – Urgent Patch Required
- CVE-2026-34126HIGHTP-Link Tapo Unencrypted Bluetooth Setup Vulnerability – L535E, P300, D100C
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2018-25387MEDIUMHaPe PKH 1.1 Cross-Site Request Forgery (CSRF) Admin Password Reset
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)