CVE-2026-36615: Mercusys AC12G (EU) Unauthenticated Information Disclosure via /agileconfigreset Endpoint
The Mercusys AC12G (EU) router running firmware version AC12G(EU)_V1_200909 contains an unauthenticated information disclosure vulnerability. An attacker on the same local network can access a hidden endpoint (/agileconfigreset) that leaks internal buffer contents without requiring any credentials or user interaction. This information could be used to further compromise the device or the network it serves.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-200
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 exposes an undocumented /agileconfigreset endpoint that returns internal buffer contents to unauthenticated attackers on the adjacent network.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-36615 involves an undocumented API endpoint in Mercusys AC12G (EU) V1 routers that exposes sensitive internal buffer data to unauthenticated adjacent network clients. The vulnerability is rooted in improper access control and information exposure (CWE-200), allowing attackers to retrieve unfiltered memory contents via HTTP requests to /agileconfigreset. The attack vector is adjacent network (AV:A), requires no authentication or user interaction, and does not depend on specific system configurations, resulting in a CVSS v3.1 score of 4.3 (MEDIUM).
Business impact
Organizations relying on Mercusys AC12G (EU) routers for network connectivity face risk of confidentiality breach. Leaked buffer contents may reveal device credentials, configuration details, or other sensitive data that could facilitate lateral movement or network reconnaissance. While the vulnerability does not permit direct modification or denial of service, the intelligence gathered could enable follow-on attacks. Small businesses and remote offices using consumer-grade networking equipment are most exposed to this risk.
Affected systems
Mercusys AC12G (EU) V1 routers with firmware version AC12G(EU)_V1_200909 are confirmed vulnerable. Organizations should verify whether this model and firmware version are deployed in their network edge environments. Mercusys is a subsidiary brand of TP-Link, so this router may appear in heterogeneous enterprise or SOHO deployments. The vulnerability requires the attacker to be on the same local network segment (e.g., adjacent via WiFi or wired LAN), limiting exposure scope to internal threat actors or compromised network neighbors.
Exploitability
Exploitation is straightforward: an attacker with access to the same network layer can send an unauthenticated HTTP request to the /agileconfigreset endpoint without special tools or user interaction. No authentication bypass, race conditions, or complex prerequisites are required. The low complexity and lack of privilege or interaction requirements make this vulnerability accessible to any adjacent-network threat. However, the attack does not propagate beyond the local network and is unlikely to be weaponized at scale without prior device discovery.
Remediation
Firmware update is the primary remediation path. Organizations should contact Mercusys support or check their product support portal for patched firmware versions that address this information disclosure. Until a patch is available and deployed, segmentation can reduce exposure: isolate the AC12G (EU) router to a management VLAN with restricted access, implement network access controls to prevent untrusted devices from reaching the device, and monitor for suspicious HTTP requests to the management interface.
Patch guidance
Verify the current firmware version on deployed Mercusys AC12G (EU) routers and obtain the latest firmware release from the official Mercusys support portal. Firmware updates typically involve accessing the router's web administration panel, uploading the patch file, and allowing the device to reboot. Organizations should test firmware updates in a non-production environment first to ensure no disruption to network services. After patching, confirm that the /agileconfigreset endpoint no longer returns internal buffer contents by performing a brief smoke test from a test client on the network.
Detection guidance
Monitor network traffic for HTTP requests to /agileconfigreset or other undocumented endpoints on Mercusys AC12G (EU) devices. Implement intrusion detection signatures that flag anomalous HTTP requests targeting router management interfaces. Log and review access attempts to the web management interface, particularly from unexpected source IP addresses. Network segmentation and endpoint logging can help identify if internal or adjacent devices are probing the vulnerable endpoint. Consider deploying host-based monitoring on systems that communicate with the router to detect unusual patterns following a potential information leak.
Why prioritize this
Although the CVSS score is MEDIUM (4.3), the vulnerability warrants prompt attention because it enables information disclosure on a network perimeter device. Routers are trust anchors; compromise of router configuration or credentials could lead to lateral movement or persistent access. The low complexity of exploitation and absence of authentication requirements mean that opportunistic attackers may rapidly discover and exploit vulnerable instances once the vulnerability is public. Organizations with AC12G (EU) devices should prioritize identification and patching, especially if the routers are exposed to untrusted network segments.
Risk score, explained
The CVSS v3.1 score of 4.3 reflects low-to-moderate risk: the attack vector is adjacent-only (reducing external exploitability), confidentiality is limited to buffer contents rather than a full device compromise, and integrity and availability are not impacted. However, the public disclosure and lack of exploitation barriers elevate practical risk. The score does not account for the strategic importance of network devices or the potential for information leakage to facilitate advanced attacks; security teams should apply organizational context when prioritizing remediation.
Frequently asked questions
Which Mercusys AC12G models are affected by this vulnerability?
Only Mercusys AC12G (EU) V1 routers with firmware version AC12G(EU)_V1_200909 are confirmed vulnerable. Other regional variants (e.g., US or APAC models) or different firmware versions may not be affected. Check your router's firmware version in the administration panel under System Settings or Similar to confirm exposure.
Can this vulnerability be exploited from the Internet?
No. The attack requires the attacker to be on the adjacent network (LAN or WiFi segment). Remote Internet-based attackers cannot directly exploit this vulnerability, but an attacker who has compromised a device on the same network or gained unauthorized WiFi access could exploit it.
What kind of data does the /agileconfigreset endpoint expose?
The endpoint returns internal buffer contents, which may include configuration data, memory fragments, or other residual information. The exact data depends on router state and buffer management. Attackers could potentially extract credentials, network settings, or other sensitive metadata that accelerates further attacks.
Is there a workaround if firmware updates are not available?
Until an official patch is released, implement network segmentation to isolate the router's management interface, restrict access to authorized administrators only, and monitor for suspicious requests. Disabling HTTP access to the router's web interface (if HTTPS is available) may also reduce risk. Contact Mercusys support for an estimated patch timeline.
This analysis is based on the published CVE details and CVSS v3.1 scoring. Patch versions, vendor timelines, and specific exploitation details may change; verify with official Mercusys product advisories before deploying patches. This vulnerability is not currently listed on the CISA KEV catalog. SEC.co does not provide exploit code or weaponized proof-of-concept steps. Organizations should conduct their own risk assessment and compliance review based on their network environment and threat model. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10254MEDIUMUnauthenticated Information Disclosure in SourceCodester Pet Grooming Software
- CVE-2026-10854MEDIUMMISP Galaxy Visibility Control Bypass – Unauthorized Private Metadata Access
- CVE-2026-10864MEDIUMMISP Dashboard Widget Field Filtering Bypass (Medium)
- CVE-2026-2128MEDIUMBreeze WordPress Plugin Cache Information Disclosure (v2.5.2 and earlier)
- CVE-2026-28511MEDIUMeLabFTW Information Disclosure – Title Exposure via Cross-Scope Search
- CVE-2026-36602MEDIUMMercusys AC12G Kernel Memory Disclosure via UPnP
- CVE-2026-36618MEDIUMMercusys AC12G DNS Version Disclosure Vulnerability
- CVE-2026-42358MEDIUMApache Airflow Secret Masking Bypass for Deeply Nested JSON Variables