CVE-2026-36613 in AC12G
Summary
by MITRE • 06/03/2026
Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 returns 128 bytes of uninitialized internal buffer contents when receiving HTTP POST requests to undefined paths, exposing server state to unauthenticated adjacent network attackers.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/03/2026
This vulnerability exists in the Mercusys AC12G (EU) V1 wireless access point device which is a consumer-grade networking equipment designed for home and small office use. The device runs firmware version AC12G(EU)_V1_200909 and exhibits a critical information disclosure flaw that occurs when processing HTTP POST requests directed to undefined or non-existent paths within the device's web interface. The technical implementation flaw stems from improper memory management where the device's HTTP server component fails to properly initialize internal buffers before returning response data. When an attacker sends a crafted POST request to an undefined endpoint, the server responds with 128 bytes of uninitialized memory contents that may contain sensitive data from the device's internal state, including potentially volatile memory segments, stack contents, or remnants of previous operations. This type of vulnerability aligns with CWE-1287 which specifically addresses information exposure through uninitialized memory and falls under the broader category of information disclosure vulnerabilities. The attack vector is particularly concerning as it requires only adjacent network access, meaning an attacker within the same local network segment can exploit this vulnerability without requiring authentication or remote access capabilities. The operational impact of this vulnerability is significant as it exposes internal server state information that could potentially reveal device configuration details, memory layout information, or other sensitive data that might aid in further exploitation attempts. The uninitialized memory exposure could potentially provide attackers with insights into the device's internal architecture, memory organization, or even partial stack contents that could be leveraged for more sophisticated attacks. According to ATT&CK framework category T1212, this represents an information exposure technique that can be used to gather intelligence for subsequent exploitation phases. The vulnerability affects the device's web server implementation and specifically targets the HTTP protocol handling mechanism. The exposure of uninitialized memory contents creates a potential attack surface where attackers can perform reconnaissance to understand the device's internal state, which could facilitate more targeted attacks against the device's other components or services. This type of information disclosure vulnerability is particularly dangerous in networked environments where devices are not properly segmented or isolated, as it could provide attackers with enough information to plan more complex exploitation strategies. The vulnerability represents a fundamental flaw in the device's secure coding practices and highlights the importance of proper memory initialization and input validation in embedded network devices. Organizations should consider immediate mitigation measures including firmware updates from the vendor, network segmentation to limit adjacent access, and monitoring for suspicious HTTP traffic patterns that might indicate exploitation attempts. The device's exposure to unauthenticated adjacent network attackers makes this vulnerability particularly dangerous in shared network environments where physical access or network access can be easily obtained by malicious actors.