CVE-2026-36613: Mercusys AC12G Memory Disclosure Vulnerability
Mercusys AC12G (EU) V1 routers running firmware AC12G(EU)_V1_200909 leak sensitive internal memory to unauthenticated attackers on the same network. When an attacker sends HTTP POST requests to non-existent paths on the router's web interface, the device inadvertently returns 128 bytes of uninitialized buffer memory. This exposed data may contain router state information, configuration details, or other sensitive runtime values. The vulnerability requires physical or network adjacency—an attacker must be on the same local network segment—but no authentication or user interaction is needed to trigger it.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-125
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 returns 128 bytes of uninitialized internal buffer contents when receiving HTTP POST requests to undefined paths, exposing server state to unauthenticated adjacent network attackers.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This vulnerability stems from improper input handling in the Mercusys AC12G (EU) V1's HTTP server implementation. When the router receives POST requests directed to undefined or non-existent paths, the firmware fails to properly initialize or sanitize the response buffer before transmitting it to the client. This results in the transmission of 128 bytes of uninitialized heap or stack memory, classified under CWE-125 (Out-of-bounds Read). The exposure is limited to adjacent network attackers because the HTTP service is typically only accessible from devices connected to the same LAN or Wi-Fi network. The vulnerability is deterministic and repeatable—any unauthenticated client on the network can exploit it without special privileges or preconditions.
Business impact
For home and small business environments using the Mercusys AC12G router, this vulnerability creates a reconnaissance channel for local attackers. An adversary on the network can passively gather router state information to support further attacks, such as identifying running services, firmware versions, or memory patterns useful for crafting subsequent exploits. While the CVSS score of 4.3 reflects limited direct impact (read-only, no authentication required, but adjacency-limited), the intelligence disclosure can reduce the attacker's reconnaissance effort and increase the likelihood of a chained attack. Organizations deploying these routers in guest networks or multi-tenant environments should be particularly concerned.
Affected systems
This issue specifically affects Mercusys AC12G (EU) V1 units running firmware version AC12G(EU)_V1_200909. The Mercusys brand is TP-Link's budget sub-brand, and AC12G is a compact Wi-Fi 5 (802.11ac) router commonly deployed in small office and home office (SOHO) environments across Europe. Users should verify their exact hardware revision and firmware version via the router's admin interface. Firmware releases after the identified vulnerable version may contain a fix, but this must be confirmed through Mercusys support or advisory channels.
Exploitability
Exploitation is straightforward and requires minimal skill. An attacker with access to the router's local network can send a simple HTTP POST request to any undefined path (e.g., http://<router-ip>/nonexistent) using standard tools like curl or wget. No authentication credentials, user interaction, or special payload crafting is necessary. The main constraint is network adjacency—the attacker must be on the same Wi-Fi network, Ethernet segment, or have routing access to the device. This makes it suitable for insider threats, compromised guest devices, or adversaries who have gained initial network access. The vulnerability is not known to be exploited in the wild, and it has not been added to CISA's Known Exploited Vulnerabilities catalog.
Remediation
Users should immediately check for and install firmware updates from Mercusys. Visit the official Mercusys support website, enter your router model and serial number, and download the latest available firmware. Firmware updates should address this memory disclosure issue. If no newer firmware is available, consider network segmentation: restrict access to the router's web interface to trusted devices only, use firewall rules to block HTTP/HTTPS access from untrusted network segments, and monitor for suspicious POST requests to undefined paths. In high-security environments, consider replacing the device with a model from a vendor with more active security support.
Patch guidance
Obtain the latest firmware release for Mercusys AC12G (EU) V1 directly from the Mercusys support portal (verify against the vendor advisory). Firmware updates can typically be applied via the router's admin web interface under System Settings or Administration > Firmware Upgrade. Before upgrading, back up your current configuration. Allow the router 5–10 minutes to complete the update without interruption. After the update completes, verify the new firmware version is displayed in the system information page. If a patch is not yet available, monitor Mercusys security advisories and subscribe to firmware release notifications.
Detection guidance
Monitor HTTP access logs on the router (if available) for POST requests to non-existent paths. Look for unusual patterns such as repeated requests to /admin, /api, /test, or other undefined endpoints. If your router supports NetFlow or syslog export, configure it to send logs to a SIEM or log aggregation tool. On a network IDS/IPS, create a rule to flag HTTP POST requests from local clients to the router's web interface followed by responses containing large amounts of null or uninitialized data. Check for signs of reconnaissance: multiple failed authentication attempts, requests to unusual URIs, or abnormally sized HTTP responses from the router's web service.
Why prioritize this
This vulnerability merits attention in SOHO and SMB environments but should be prioritized below critical or high-risk exposures. The CVSS score of 4.3 (Medium) reflects limited scope: network adjacency is required, there is no authentication bypass, and the impact is read-only information disclosure. However, it should not be ignored, as it can facilitate further reconnaissance and attacks. Prioritize patching if the router is in a multi-tenant, guest-accessible, or high-value network segment. For isolated home networks with low-risk profiles, patching is still recommended but can be scheduled as part of routine maintenance.
Risk score, explained
The CVSS:3.1 score of 4.3 is derived from Attack Vector (Adjacent), Access Complexity (Low), Privileges Required (None), User Interaction (None), Scope (Unchanged), Confidentiality (Low), Integrity (None), and Availability (None). The Medium severity reflects that the vulnerability is easily exploitable by local attackers with no privileges, but the attack surface is limited to adjacent networks, and the impact is confined to low-level information disclosure without affecting system integrity or availability. The lack of authentication requirement increases the score, but adjacency limitation prevents a higher rating.
Frequently asked questions
Can this vulnerability be exploited from the internet or only from the local network?
Exploitation is limited to adjacent networks—typically the same Wi-Fi network, Ethernet switch, or directly connected segment. Internet-based attackers cannot trigger this vulnerability unless they have already compromised a device on the local network or gained VPN/routing access. Standard firewall configurations that block external access to the router's web interface will not help against this threat, which is why network segmentation is important.
What information could an attacker obtain from the exposed 128 bytes of memory?
The exposed memory is uninitialized buffer contents and may include fragments of router state, configuration data, memory addresses, or other runtime values depending on what was previously in that memory location. An attacker cannot directly read user passwords or Wi-Fi keys from this specific vulnerability, but the data could help an attacker understand the router's memory layout or identify running processes, which could be chained with other vulnerabilities for greater impact.
Is there a workaround if I cannot update my firmware immediately?
If no firmware update is available, implement network access controls: disable remote management of the router's web interface, use a firewall or switch to restrict HTTP/HTTPS access to the router's IP address from untrusted devices, and monitor network traffic for suspicious POST requests. These measures reduce the attack surface but do not eliminate the vulnerability. Firmware patching remains the proper remediation.
How do I verify if my router is vulnerable?
Check the router's firmware version in the admin interface (typically under System > About or Administration). If it shows AC12G(EU)_V1_200909 or an earlier version, your device is affected. Visit the Mercusys support website to check if a newer firmware release is available. If you are uncertain, consult Mercusys customer support with your router's model number and serial number.
This analysis is provided for informational purposes and reflects the vulnerability details available as of the publication date. Users should verify all technical details, patch availability, and compatibility with the official Mercusys support channels before taking action. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and disclaims liability for any decisions made in reliance on this information. Exploit details are intentionally withheld; this page is designed to inform defensive security decisions only. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-70101MEDIUMlwext4 1.0.0 Out-of-Bounds Read Denial of Service
- CVE-2026-10305MEDIUMOut-of-Bounds Read in Samsung rlottie Animation Library
- CVE-2026-10979MEDIUMChrome ANGLE Out-of-Bounds Read Memory Disclosure Vulnerability
- CVE-2026-10985MEDIUMOut-of-Bounds Read in Google Chrome Skia – Data Leakage Vulnerability
- CVE-2026-10998MEDIUMChrome Media Out-of-Bounds Memory Read Vulnerability
- CVE-2026-10999MEDIUMGoogle Chrome ANGLE Integer Overflow Information Disclosure
- CVE-2026-11004MEDIUMChrome ANGLE Out-of-Bounds Read Memory Disclosure
- CVE-2026-11005MEDIUMOut-of-Bounds Read in Chrome ANGLE on Windows