MEDIUM 4.3

CVE-2026-36615: Mercusys AC12G (EU) Unauthenticated Information Disclosure via /agileconfigreset Endpoint

The Mercusys AC12G (EU) router running firmware version AC12G(EU)_V1_200909 contains an unauthenticated information disclosure vulnerability. An attacker on the same local network can access a hidden endpoint (/agileconfigreset) that leaks internal buffer contents without requiring any credentials or user interaction. This information could be used to further compromise the device or the network it serves.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-200
Affected products
0 configuration(s)
Published / Modified
2026-06-03 / 2026-06-17

NVD description (verbatim)

Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 exposes an undocumented /agileconfigreset endpoint that returns internal buffer contents to unauthenticated attackers on the adjacent network.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-36615 involves an undocumented API endpoint in Mercusys AC12G (EU) V1 routers that exposes sensitive internal buffer data to unauthenticated adjacent network clients. The vulnerability is rooted in improper access control and information exposure (CWE-200), allowing attackers to retrieve unfiltered memory contents via HTTP requests to /agileconfigreset. The attack vector is adjacent network (AV:A), requires no authentication or user interaction, and does not depend on specific system configurations, resulting in a CVSS v3.1 score of 4.3 (MEDIUM).

Business impact

Organizations relying on Mercusys AC12G (EU) routers for network connectivity face risk of confidentiality breach. Leaked buffer contents may reveal device credentials, configuration details, or other sensitive data that could facilitate lateral movement or network reconnaissance. While the vulnerability does not permit direct modification or denial of service, the intelligence gathered could enable follow-on attacks. Small businesses and remote offices using consumer-grade networking equipment are most exposed to this risk.

Affected systems

Mercusys AC12G (EU) V1 routers with firmware version AC12G(EU)_V1_200909 are confirmed vulnerable. Organizations should verify whether this model and firmware version are deployed in their network edge environments. Mercusys is a subsidiary brand of TP-Link, so this router may appear in heterogeneous enterprise or SOHO deployments. The vulnerability requires the attacker to be on the same local network segment (e.g., adjacent via WiFi or wired LAN), limiting exposure scope to internal threat actors or compromised network neighbors.

Exploitability

Exploitation is straightforward: an attacker with access to the same network layer can send an unauthenticated HTTP request to the /agileconfigreset endpoint without special tools or user interaction. No authentication bypass, race conditions, or complex prerequisites are required. The low complexity and lack of privilege or interaction requirements make this vulnerability accessible to any adjacent-network threat. However, the attack does not propagate beyond the local network and is unlikely to be weaponized at scale without prior device discovery.

Remediation

Firmware update is the primary remediation path. Organizations should contact Mercusys support or check their product support portal for patched firmware versions that address this information disclosure. Until a patch is available and deployed, segmentation can reduce exposure: isolate the AC12G (EU) router to a management VLAN with restricted access, implement network access controls to prevent untrusted devices from reaching the device, and monitor for suspicious HTTP requests to the management interface.

Patch guidance

Verify the current firmware version on deployed Mercusys AC12G (EU) routers and obtain the latest firmware release from the official Mercusys support portal. Firmware updates typically involve accessing the router's web administration panel, uploading the patch file, and allowing the device to reboot. Organizations should test firmware updates in a non-production environment first to ensure no disruption to network services. After patching, confirm that the /agileconfigreset endpoint no longer returns internal buffer contents by performing a brief smoke test from a test client on the network.

Detection guidance

Monitor network traffic for HTTP requests to /agileconfigreset or other undocumented endpoints on Mercusys AC12G (EU) devices. Implement intrusion detection signatures that flag anomalous HTTP requests targeting router management interfaces. Log and review access attempts to the web management interface, particularly from unexpected source IP addresses. Network segmentation and endpoint logging can help identify if internal or adjacent devices are probing the vulnerable endpoint. Consider deploying host-based monitoring on systems that communicate with the router to detect unusual patterns following a potential information leak.

Why prioritize this

Although the CVSS score is MEDIUM (4.3), the vulnerability warrants prompt attention because it enables information disclosure on a network perimeter device. Routers are trust anchors; compromise of router configuration or credentials could lead to lateral movement or persistent access. The low complexity of exploitation and absence of authentication requirements mean that opportunistic attackers may rapidly discover and exploit vulnerable instances once the vulnerability is public. Organizations with AC12G (EU) devices should prioritize identification and patching, especially if the routers are exposed to untrusted network segments.

Risk score, explained

The CVSS v3.1 score of 4.3 reflects low-to-moderate risk: the attack vector is adjacent-only (reducing external exploitability), confidentiality is limited to buffer contents rather than a full device compromise, and integrity and availability are not impacted. However, the public disclosure and lack of exploitation barriers elevate practical risk. The score does not account for the strategic importance of network devices or the potential for information leakage to facilitate advanced attacks; security teams should apply organizational context when prioritizing remediation.

Frequently asked questions

Which Mercusys AC12G models are affected by this vulnerability?

Only Mercusys AC12G (EU) V1 routers with firmware version AC12G(EU)_V1_200909 are confirmed vulnerable. Other regional variants (e.g., US or APAC models) or different firmware versions may not be affected. Check your router's firmware version in the administration panel under System Settings or Similar to confirm exposure.

Can this vulnerability be exploited from the Internet?

No. The attack requires the attacker to be on the adjacent network (LAN or WiFi segment). Remote Internet-based attackers cannot directly exploit this vulnerability, but an attacker who has compromised a device on the same network or gained unauthorized WiFi access could exploit it.

What kind of data does the /agileconfigreset endpoint expose?

The endpoint returns internal buffer contents, which may include configuration data, memory fragments, or other residual information. The exact data depends on router state and buffer management. Attackers could potentially extract credentials, network settings, or other sensitive metadata that accelerates further attacks.

Is there a workaround if firmware updates are not available?

Until an official patch is released, implement network segmentation to isolate the router's management interface, restrict access to authorized administrators only, and monitor for suspicious requests. Disabling HTTP access to the router's web interface (if HTTPS is available) may also reduce risk. Contact Mercusys support for an estimated patch timeline.

This analysis is based on the published CVE details and CVSS v3.1 scoring. Patch versions, vendor timelines, and specific exploitation details may change; verify with official Mercusys product advisories before deploying patches. This vulnerability is not currently listed on the CISA KEV catalog. SEC.co does not provide exploit code or weaponized proof-of-concept steps. Organizations should conduct their own risk assessment and compliance review based on their network environment and threat model. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).