CVE-2026-36607 in AC12G
Summary
by MITRE • 06/03/2026
Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 allows unauthenticated brute-force attacks via the TDDP password change endpoint (code=10), which lacks the rate limiting applied to the login endpoint (code=7). An attacker on the adjacent network can attempt unlimited passwords without triggering account lockout.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/04/2026
The Mercusys AC12G (EU) V1 router presents a critical authentication vulnerability that stems from improper access control implementation within its TDDP protocol stack. This device operates with a dual authentication mechanism where the login endpoint (code=7) properly implements rate limiting to prevent brute-force attacks, while the password change endpoint (code=10) lacks any such protective measures. The vulnerability creates a significant security gap that directly violates the principle of least privilege and proper authentication control as outlined in cybersecurity frameworks such as NIST SP 800-63B. The absence of rate limiting on the password change function exposes the device to unlimited authentication attempts, making it susceptible to automated brute-force attacks that can systematically guess valid credentials without triggering account lockout mechanisms.
The technical flaw manifests as a design inconsistency in the router's authentication service implementation where the password change functionality does not enforce the same security controls applied to the primary login process. This represents a CWE-307 weakness related to improper restriction of repeated access attempts, specifically targeting the password change endpoint rather than the login endpoint. The vulnerability operates at the network level where an attacker positioned on the adjacent network can exploit this flaw without requiring prior authentication or network reconnaissance. The TDDP protocol implementation fails to maintain consistent security controls across its various authentication functions, creating an exploitable gap that violates fundamental security principles.
The operational impact of this vulnerability extends beyond simple credential guessing as it provides attackers with an extended window of opportunity to compromise the device. An attacker can conduct prolonged brute-force campaigns against the password change endpoint, potentially exhausting all possible password combinations within a reasonable timeframe. This weakness particularly affects network administrators who may rely on default credentials or weak passwords, as the lack of rate limiting removes any effective deterrent against automated attack tools. The vulnerability creates a persistent threat surface that remains active until the device firmware is updated or the password change functionality is properly secured.
Mitigation strategies for this vulnerability require immediate firmware updates from the manufacturer to implement rate limiting on all authentication endpoints, including password change functions. Network segmentation and access control measures should be implemented to prevent adjacent network attackers from reaching the device, while also ensuring that the router's management interfaces are properly secured. The implementation should follow established security frameworks such as the MITRE ATT&CK framework's credential access techniques, particularly focusing on the use of brute force methods against network services. Organizations should also implement network monitoring to detect unusual authentication patterns that may indicate brute-force attacks against the device, while considering the deployment of network access control solutions that can limit device access based on network position and user identity.
The vulnerability demonstrates a clear failure in the security design phase of the router's development lifecycle, where authentication controls were not consistently applied across all service endpoints. This represents a common pattern in embedded device security where secondary authentication functions receive less attention than primary login mechanisms, creating exploitable inconsistencies that attackers can leverage. The proper implementation would require enforcing identical rate limiting controls on all password-related functions, ensuring that the password change endpoint behaves consistently with the login endpoint in terms of access control and authentication attempt monitoring.