CVE-2026-36616: Mercusys AC12G Hardcoded WiFi Credentials Vulnerability
Mercusys AC12G (EU) V1 routers contain hardcoded credentials baked directly into the firmware. A researcher can extract a WiFi driver password, RADIUS shared secret, WPS test key, and default network password from the device's production binary. This allows someone with network access to bypass WiFi protections and potentially reach internal network resources, though the attack requires being within radio range and some technical effort to extract and use these credentials.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.9 MEDIUM · CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
- Weaknesses (CWE)
- CWE-1188, CWE-798
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 contains hardcoded WiFi driver credentials including a RADIUS shared secret, WPS test key, and default PSK embedded in the production firmware binary.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-36616 involves multiple hardcoded secrets embedded in the Mercusys AC12G (EU) V1 firmware binary version AC12G(EU)_V1_200909. The vulnerability exposes a RADIUS shared secret, WPS (WiFi Protected Setup) test key, and default pre-shared key (PSK). These credentials are statically compiled into the device firmware and cannot be changed through normal configuration. An attacker with network proximity can extract these secrets via firmware analysis or memory dumps, then use them to authenticate to the wireless network or interact with WiFi driver services. The RADIUS secret disclosure is particularly significant in enterprise deployments using 802.1X authentication schemes.
Business impact
Organizations using this router model for wireless access—particularly in SMB or branch office settings—risk unauthorized network entry by employees or nearby attackers. If the router serves as an edge device for a corporate network, credential disclosure could facilitate lateral movement. The RADIUS secret exposure poses a direct threat to any enterprise authentication infrastructure relying on that shared secret. Recovery requires firmware replacement and credentialing rotation across dependent systems, introducing operational disruption and potential security review costs.
Affected systems
Mercusys AC12G routers with EU firmware version AC12G(EU)_V1_200909 are confirmed affected. This device is a budget-class dual-band WiFi router commonly deployed in small office and consumer environments. Check your device model (AC12G EU variant) and firmware version against the specified build date (200909 = September 9, 2020). Devices running older firmware or the EU regional variant are the focus; verify your exact firmware version via the device's admin interface.
Exploitability
Exploitation requires network-layer access (attacker must be within WiFi range or able to capture firmware). CVSS reflects this: attack vector is adjacent network (AV:A) and complexity is high (AC:H), indicating the attacker must perform firmware extraction and credential parsing. No remote code execution or privilege escalation is enabled by this flaw alone; impact is confined to confidentiality (reading network credentials) and minor integrity concerns (WPS test key could allow rogue device pairing). The vulnerability is not currently in the CISA Known Exploited Vulnerabilities catalog, suggesting active exploitation in the wild is limited but not ruled out.
Remediation
Mercusys should release a patched firmware version removing hardcoded credentials and implementing secure credential storage. Users must update to any post-fix firmware build. As an interim measure, organizations should disable WPS, enforce strong WiFi encryption (WPA3 or strong WPA2), and monitor for suspicious authentication attempts. Consider network segmentation: isolate the router's management interface and restrict wireless access to known MAC addresses if supported.
Patch guidance
Check the Mercusys support page for the AC12G EU model for available firmware updates released after June 2026. Firmware updates are typically applied via the device's web interface (usually 192.168.0.1). Before updating, document your current network configuration. Test the patched firmware in a non-production environment if possible. After patching, verify that hardcoded credentials are no longer extractable from the firmware binary (this may require a security researcher's validation or Mercusys security advisory confirmation). If no patch is available from Mercusys within 90 days, consider device replacement.
Detection guidance
Monitor router logs for unusual authentication failures or WPS events. Use network analysis tools to detect multiple failed WiFi connection attempts from unknown clients, which may indicate credential guessing. If you can access the device firmware binary, run string extraction tools (e.g., 'strings' command) to scan for plaintext credentials; their presence indicates the unpatched version. Perform periodic firmware integrity checks and compare the binary hash against known-good vendor hashes once patches are released.
Why prioritize this
CVSS 5.9 (Medium) reflects that exploitation requires adjacent network access and technical effort, capping impact severity. However, the confidentiality rating is High because all WiFi authentication credentials are compromised. Organizations with this router model—particularly those using it for enterprise WiFi or RADIUS integration—should prioritize firmware updates. Consumer/SMB users with isolated networks face lower risk but should still update to eliminate credential exposure.
Risk score, explained
The CVSS 3.1 vector CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N assigns a score of 5.9. Adjacent Network vector (AV:A) reflects that an attacker must be within WiFi range or intercept the firmware. High Complexity (AC:H) accounts for the need to extract and parse the firmware binary to recover credentials. No privileges required (PR:N) and no user interaction needed (UI:N). High Confidentiality impact (C:H) stems from full exposure of all WiFi authentication secrets. Low Integrity impact (I:L) reflects potential for rogue device injection via WPS test key. No availability impact. Organizations with tight physical security around their wireless infrastructure may argue for lower effective risk; those in open or multi-tenant environments should treat this as higher priority.
Frequently asked questions
How do I know if my Mercusys AC12G router is affected?
Check the device's firmware version via the admin interface (typically found under System Tools or Administration > Firmware Upgrade). The affected version is AC12G(EU)_V1_200909. Only the EU variant of the AC12G with this specific firmware is confirmed vulnerable. Check the model number on the device label and verify it matches AC12G (EU).
Can someone use the hardcoded credentials remotely without being on my WiFi?
The RADIUS shared secret and WPS key could theoretically be exploited remotely if an attacker has access to those systems independently, but direct WiFi access requires being within radio range. The hardcoded PSK alone does not grant remote network entry if your router is properly isolated. However, if the router is exposed to an open network or shared space, physical proximity becomes a realistic threat vector.
What is the difference between the RADIUS secret and the WiFi password in this vulnerability?
The RADIUS shared secret is used for backend authentication between the router and an enterprise authentication server (common in corporate WiFi). The WPS test key and default PSK are the WiFi network password. Exposure of all three allows both consumer-level WiFi hijacking and potential compromise of enterprise authentication infrastructure if the router is used in a corporate environment.
Should I disable WiFi on this router until I can patch it?
If the router is not currently in use or can be replaced temporarily, disabling WiFi eliminates network access risk. If it must remain operational, apply the strongest available WiFi encryption (WPA3 if supported, else WPA2 with a strong passphrase override), disable WPS entirely, and restrict connections to known devices. Monitor for unauthorized connections. Prioritize obtaining and applying the patch immediately.
This analysis is based on the CVE record published on 2026-06-03 and modified on 2026-06-17. Specific patch version numbers and availability should be verified directly with Mercusys support or security advisories. SEC.co does not provide warranty on the accuracy of derived risk assessments. Organizations should conduct their own asset inventory and impact analysis before prioritizing remediation. Exploit code or detailed extraction techniques are not provided; responsible disclosure practices should be followed if testing is conducted. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-21404MEDIUMNAVTOR NavBox Hard-Coded SOAP Credentials Allow Local File Modification
- CVE-2026-25600MEDIUMPDBM Hard-Coded Encryption Secret Vulnerability
- CVE-2026-36612MEDIUMMercusys AC12G Weak WPS Lockout Policy Enables Router Compromise
- CVE-2019-25722HIGHHard-Coded Credentials and DoS in Dräger Patient Monitoring Devices
- CVE-2026-35672HIGHphpMyFAQ Authentication Bypass Allows Unauthorized FAQ Content Injection
- CVE-2026-36606HIGHMercusys AC12G V1 Hardcoded DES Encryption in Configuration Backups
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2018-25387MEDIUMHaPe PKH 1.1 Cross-Site Request Forgery (CSRF) Admin Password Reset