CVE-2026-36612: Mercusys AC12G Weak WPS Lockout Policy Enables Router Compromise
The Mercusys AC12G (EU) router with firmware version AC12G(EU)_V1_200909 ships with Wi-Fi Protected Setup (WPS) enabled by default. WPS is a feature designed to simplify device pairing, but this implementation has a critical weakness: after just 10 failed PIN guesses, the device locks out for only 60 seconds. This short lockout window makes brute-force attacks against the WPS PIN feasible within a reasonable timeframe, potentially allowing an attacker within wireless range to gain administrative access to the router.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.4 MEDIUM · CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
- Weaknesses (CWE)
- CWE-1188, CWE-307
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 enables WPS 2.0 by default with a weak lockout policy (60-second lockout after 10 attempts).
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-36612 involves improper rate limiting on WPS authentication attempts in the Mercusys AC12G (EU) V1 router. The vulnerability stems from two compounding issues: (1) WPS 2.0 is enabled by default without explicit user intervention, and (2) the lockout policy implementing only a 60-second cooldown after 10 failed attempts is insufficient to prevent practical brute-force attacks against the 4-digit or 8-digit PIN mechanism. The attack vector is adjacent network (AV:A), requiring the attacker to be within wireless range; however, user interaction (UI:R) is required in the sense that the device must be in an exploitable state. The weakness is classified under CWE-1188 (Initialization with Hard-Coded Network Resource Configuration Data) and CWE-307 (Improper Restriction of Rendered UI Layers or Frames), reflecting both the insecure default configuration and the inadequate brute-force protection.
Business impact
Compromise of a home or small office router can expose all traffic passing through it to interception or manipulation. An attacker gaining administrative access via WPS can modify network settings, install malware on connected devices, intercept credentials, or use the router as a pivot point to attack connected computers and IoT devices. For small businesses or remote workers relying on this device for network security, the impact extends to data confidentiality, integrity, and availability. Additionally, the router may be conscripted into a botnet or used to launch attacks on external targets, creating legal and reputational liability for the network owner.
Affected systems
This vulnerability specifically affects Mercusys AC12G (EU) V1 devices running firmware AC12G(EU)_V1_200909. Mercusys is a TP-Link subsidiary focused on entry-level networking products. Organizations and individuals using this specific router model and firmware version are at direct risk. Users should verify their device model (check the label on the device) and firmware version (accessible via the router's web interface or management app) to confirm exposure.
Exploitability
Exploitation requires proximity to the target network (adjacent network access) and can be performed using readily available WPS PIN cracking tools such as Reaver or Pixiewps. The 60-second lockout after 10 attempts is weak by design; an attacker can cycle through hundreds of PIN combinations over hours or days with minimal effort. The attack does not require any special privileges or special conditions beyond physical or wireless proximity. However, the requirement for user interaction (noted in the CVSS vector) reflects that the router must be in an exploitable state and may require the attacker to have some baseline knowledge of the device's presence. The overall CVSS score of 6.4 (Medium) balances the high confidentiality and integrity impact against the adjacency requirement and the time investment needed to crack the PIN.
Remediation
The primary remediation is to disable WPS 2.0 entirely on the affected device. Users should log into the router's web interface, navigate to the WPS settings, and toggle WPS off. Mercusys should release a firmware patch that (1) disables WPS by default, (2) implements a substantially longer lockout period (e.g., 24+ hours after repeated failures), or (3) removes WPS support altogether. Until a patch is available and applied, administrators should assume any AC12G (EU) V1 device running the vulnerable firmware is at risk. Alternatively, if WPS is not needed, users can safely assume they are protected by disabling it manually.
Patch guidance
As of the vulnerability publication date (2026-06-03), verify with Mercusys support or check the official Mercusys AC12G product page for firmware updates beyond AC12G(EU)_V1_200909. When a patch becomes available, it will likely be distributed through the router's web interface under System Settings > Firmware Upgrade, or it can be manually downloaded from Mercusys's official support portal. Do not obtain firmware from third-party sources. After updating, verify the new firmware version in the device settings and confirm that WPS has been disabled by default or is no longer available. Test wireless connectivity with a known device to ensure the update does not introduce new issues.
Detection guidance
Network administrators can identify vulnerable devices by scanning the network for devices advertising WPS capability (WPS-enabled routers broadcast this in beacon frames). Tools like Wash or commercial WiFi assessment platforms can enumerate WPS-enabled devices. Additionally, users can check their router's configuration by accessing the web interface (typically 192.168.0.1 or 192.168.1.1) and reviewing the Wireless settings or WPS section. Organizations managing multiple routers should implement configuration management or device inventory systems to track firmware versions and flag AC12G devices running version AC12G(EU)_V1_200909 for immediate remediation. Enable logging on the router (if available) to monitor for repeated failed authentication attempts, which may indicate active exploitation.
Why prioritize this
Although the CVSS score is Medium (6.4), the practical risk is elevated for home and small office deployments because: (1) entry-level devices like the Mercusys AC12G are commonly installed without security hardening, (2) end-users are unlikely to know how to disable WPS or recognize the threat, (3) the attack requires only proximity and common tools, and (4) successful exploitation leads to full network compromise. Organizations using this device should deprioritize other mitigations in favor of immediately disabling WPS or applying patches. The lack of KEV designation suggests this vulnerability has not yet been observed in active exploit campaigns, but the ease of exploitation makes it a matter of time.
Risk score, explained
The CVSS 3.1 score of 6.4 is derived from: Attack Vector Adjacent (within wireless range), Attack Complexity High (requires multiple PIN guesses and time investment), Privileges Required None, User Interaction Required (device must be in vulnerable state), Scope Unchanged, Confidentiality High (attacker can read all router traffic), Integrity High (attacker can modify router settings and traffic), and Availability None (the router remains functional). The score reflects a scenario where an attacker is already within wireless range and has time to conduct a brute-force attack. The 'High' rating on confidentiality and integrity reflects the critical impact of router compromise; however, the Medium severity acknowledges the adjacency requirement and the time investment needed.
Frequently asked questions
Can I be exploited if I have a strong Wi-Fi password?
Yes. Wi-Fi password strength is independent of WPS PIN security. WPS uses a separate 4- or 8-digit PIN mechanism for pairing devices, which is distinct from your Wi-Fi Pre-Shared Key (PSK). An attacker does not need your Wi-Fi password to target WPS; they only need wireless range. However, disabling WPS entirely is the best defense.
How do I know if my router is vulnerable?
Check if you own a Mercusys AC12G (EU) V1 device and verify the firmware version by logging into the router's web interface. If the version is AC12G(EU)_V1_200909, the device is vulnerable. You can also check whether WPS is enabled in the wireless settings; if WPS is visible and enabled, disable it immediately. Mercusys will release a patched firmware version that either removes or hardens WPS.
What happens if someone successfully exploits this?
An attacker who cracks the WPS PIN gains full administrative access to the router. They can change your Wi-Fi password, intercept all network traffic passing through the router, inject malicious content into web pages you visit, compromise connected devices (computers, phones, smart home devices), or use the router as a staging point to attack other networks. The attacker is essentially inside your network perimeter.
Why is WPS even enabled by default if it is insecure?
WPS was designed to simplify device pairing for non-technical users, but the weak PIN implementation and inadequate rate limiting make it a liability. Industry best practices now recommend disabling WPS by default or removing it entirely. This vulnerability is a reminder that 'convenient' default settings often come at the cost of security. Mercusys should revise their security posture in future firmware and product releases.
This analysis is provided for informational purposes only and does not constitute legal or professional advice. Vulnerability details are accurate as of the publication and modification dates listed; however, vendor advisories and patch releases may supersede this guidance. Readers should verify patch availability and compatibility with their specific hardware and firmware versions before applying updates. SEC.co makes no warranty regarding the accuracy, completeness, or timeliness of this information. Use of this information to conduct unauthorized access to computer systems is illegal. Always test patches in a controlled environment before deploying to production. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-36616MEDIUMMercusys AC12G Hardcoded WiFi Credentials Vulnerability
- CVE-2026-10216LOWWeak Authentication Rate-Limiting in unitedbyai Droidclaw
- CVE-2026-35672HIGHphpMyFAQ Authentication Bypass Allows Unauthorized FAQ Content Injection
- CVE-2026-35675HIGHphpMyFAQ Password Reset Authentication Bypass – Account Takeover
- CVE-2026-36607HIGHMercusys AC12G Router Brute-Force Vulnerability – Rate Limiting Bypass
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2018-25387MEDIUMHaPe PKH 1.1 Cross-Site Request Forgery (CSRF) Admin Password Reset
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)