CVE-2026-36607

Mercusys AC12G EU V1 router with firmware AC12GEUV1200909 allows unauthenticated brute-force attacks via the TDDP password change endpoint code=10, which lacks the rate limiting applied to the login endpoint code=7. An attacker on the adjacent network can attempt unlimited passwords without...

CVE-2026-36604

Mercusys AC12G EU V1 router with firmware AC12GEUV1200909 does not validate the HTTP Host header, enabling DNS rebinding attacks. An external attacker can rebind a domain to the router's internal IP address, extending the CORS wildcard vulnerability Access-Control-Allow-Origin: to...

CVE-2026-36602

Mercusys AC12G EU V1 router with firmware AC12GEUV1200909 discloses kernel memory layout via the UPnP GetStatusInfo action. An unauthenticated attacker on the adjacent network can obtain a raw MIPS KSEG0 kernel pointer, revealing kernel memory layout and aiding further exploitation...

EUVD-2026-34151

Mercusys AC12G EU V1 with firmware AC12GEUV1200909 enables WPS 2.0 by default with a weak lockout policy 60-second lockout after 10 attempts...

CVE-2026-36613

Mercusys AC12G EU V1 with firmware AC12GEUV1200909 returns 128 bytes of uninitialized internal buffer contents when receiving HTTP POST requests to undefined paths, exposing server state to unauthenticated adjacent network attackers...

PT-2026-46000

Mercusys AC12G EU V1 with firmware AC12GEU V1 200909 enables WPS 2.0 by default with a weak lockout policy 60-second lockout after 10 attempts...

CVE-2026-36607

Mercusys AC12G (EU) V1 router, firmware AC12G(EU)_V1_200909, is affected by CVE-2026-36607. The TDDP password change endpoint (code=10) allows unauthenticated brute-force attempts without rate limiting, unlike the login endpoint (code=7). An attacker on an adjacent network can attempt unlimited p...

CVE-2026-36616

Mercusys AC12G EU V1 with firmware AC12GEUV1200909 contains hardcoded WiFi driver credentials including a RADIUS shared secret, WPS test key, and default PSK embedded in the production firmware binary...

PT-2026-45990

Name of the Vulnerable Software and Affected Versions Mercusys AC12G EU V1 version AC12GEU V1 200909 Description The UPnP GetStatusInfo action discloses kernel memory layout. An unauthenticated attacker on the adjacent network can obtain a raw MIPS KSEG0 kernel pointer, which reveals the kernel...

CVE-2026-36618

Mercusys AC12G (EU) V1 devices (firmware AC12G(EU)_V1_200909) are affected. The issue arises because the DNS resolver (unbound 1.22.0) reveals its version when responding to version.bind CHAOS TXT queries, which can aid targeted attacks against known vulnerabilities. The vulnerability pertains to...