CVE-2026-36612 in AC12G
Summary
by MITRE • 06/03/2026
Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 enables WPS 2.0 by default with a weak lockout policy (60-second lockout after 10 attempts).
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/03/2026
The Mercusys AC12G (EU) V1 wireless router represents a significant security vulnerability through its default configuration of WPS 2.0 functionality with inadequate lockout mechanisms. This device operates with a weak security policy that allows only a 60-second lockout period following ten failed WPS authentication attempts, creating a substantial attack surface for malicious actors seeking unauthorized network access. The vulnerability stems from the router's default settings that prioritize user convenience over security, enabling a potentially exploitable feature without proper protective measures.
This configuration flaw directly relates to CWE-307, which addresses improper restriction of repeated authentication attempts, and aligns with ATT&CK technique T1110.003 for Brute Force Attacks. The 60-second lockout period provides insufficient protection against automated credential guessing attacks, as attackers can easily execute multiple attack cycles within reasonable timeframes. The WPS 2.0 implementation, while designed to simplify network setup, introduces inherent weaknesses when deployed without proper security hardening. This particular vulnerability demonstrates how default configurations can create persistent security risks that persist across multiple deployments without explicit administrative intervention.
The operational impact of this vulnerability extends beyond simple unauthorized access to encompass potential network compromise and data exfiltration. Attackers can leverage the weak lockout policy to conduct systematic brute force attacks against the WPS PIN, exploiting the predictable timing of lockout periods to maximize their chances of success. The vulnerability affects both enterprise and consumer networks where these devices are deployed, as the default configuration remains unchanged unless explicitly modified by network administrators. This creates a widespread risk profile since many users do not modify default router settings, leaving their networks exposed to automated attack vectors.
Mitigation strategies must include immediate configuration changes to strengthen the WPS security posture, specifically by implementing longer lockout periods or disabling WPS functionality entirely when not required. Network administrators should configure the router to enforce a minimum lockout period of several minutes or disable WPS altogether, as recommended in NIST SP 800-44 guidelines for wireless network security. The implementation of network segmentation and additional authentication layers can further reduce the impact of any successful exploitation attempts. Regular security audits and firmware updates should be conducted to ensure that devices maintain appropriate security configurations, while also addressing potential firmware vulnerabilities that may compound the WPS weakness. Organizations should also implement monitoring solutions to detect unusual authentication patterns that might indicate active WPS brute force attacks.