CVE-2026-36616 in AC12G
Summary
by MITRE • 06/03/2026
Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 contains hardcoded WiFi driver credentials including a RADIUS shared secret, WPS test key, and default PSK embedded in the production firmware binary.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/03/2026
This vulnerability represents a critical security flaw in the Mercusys AC12G (EU) V1 wireless access point firmware where hardcoded credentials are embedded within the production binary. The presence of these hardcoded values creates a persistent security risk that affects multiple authentication mechanisms within the device. The inclusion of a RADIUS shared secret indicates that the device uses this hardcoded value for authenticating with external RADIUS servers, while the WPS test key suggests that the device has a default WPS configuration that can be exploited by attackers. The default PSK embedded in the firmware provides a direct path for unauthorized access to the wireless network. This type of vulnerability falls under CWE-259 Use of Hardcoded Password and CWE-798 Use of Hardcoded Credentials, both of which are classified as high-risk issues in the CWE database. The operational impact of this vulnerability is severe as it allows attackers to gain unauthorized access to the wireless network without requiring knowledge of legitimate credentials. An attacker who gains access to the firmware binary can extract these hardcoded credentials and use them to authenticate with the wireless network, potentially gaining access to the entire network infrastructure. This vulnerability also enables credential stuffing attacks and can be exploited as part of a broader attack chain in the MITRE ATT&CK framework under the T1212 Exploitation for Credential Access technique. The presence of these hardcoded credentials means that even if legitimate users change their passwords, the device will continue to use these hardcoded values for authentication purposes, creating a persistent backdoor. The vulnerability affects the device's ability to maintain secure network access and can be exploited by attackers with minimal technical expertise. Network administrators cannot rely on traditional credential management practices to secure the device, as the credentials are embedded within the firmware itself. This type of vulnerability is particularly concerning for enterprise environments where wireless access points are deployed in large numbers and where the compromise of a single device can potentially provide access to larger network segments. The firmware update process for this device may not address the hardcoded credentials, as they are embedded within the binary itself rather than being configurable through the device's management interface. This makes the vulnerability particularly persistent and difficult to remediate without a complete firmware replacement. The vulnerability also impacts the device's compliance with security standards such as NIST SP 800-53 and ISO/IEC 27001, which require secure configuration management and proper credential handling practices. Organizations using this device should implement network segmentation and monitoring to detect unauthorized access attempts, as the hardcoded credentials create a predictable attack vector. The vulnerability demonstrates poor secure coding practices and highlights the importance of avoiding hardcoded credentials in embedded systems and network devices. This flaw represents a fundamental security weakness that undermines the integrity of the wireless network and provides attackers with a direct path to network access. The attack surface is broadened by the presence of multiple hardcoded credentials, including those for RADIUS authentication, WPS functionality, and wireless network access, making this device particularly vulnerable to exploitation. The lack of proper credential management in the firmware design creates a persistent security risk that can be exploited for extended periods without detection. Organizations should consider immediate network isolation of affected devices and implement alternative authentication mechanisms to prevent exploitation of these hardcoded credentials.