Description
Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 is vulnerable to a HTTP denial of service via a low number of crafted incomplete HTTP requests, causing a persistent crash that requires physical power cycling to recover.
Published: 2026-06-03
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A malformed or incomplete HTTP request sent to the Mercusys AC12G router can cause the device to crash continuously until it is physically power‑cycled. This results in a loss of connectivity and availability for all users on the network that relies on the router’s management services.

Affected Systems

Routers bearing the Mercusys AC12G (EU) V1 firmware AC12G(EU)_V1_200909 are affected. No other products or versions are known to be vulnerable.

Risk and Exploitability

The CVSS score is not disclosed and the EPSS score is unavailable, indicating no quantified threat modeling is present. The vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the crash by sending a small number of carefully crafted incomplete HTTP requests, and no special privileges or credentials are required, so the risk level remains high for devices exposed to untrusted networks. There is no evidence of remote code execution; the impact is purely a denial of service that requires a physical reset to recover.

Generated by OpenCVE AI on June 3, 2026 at 18:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the router’s current firmware version and upgrade it to the latest release issued by Mercusys when one becomes available.
  • If an update is not immediately available, limit inbound traffic that can reach the HTTP management interface by implementing firewall rules or VLAN segmentation to restrict access to trusted internal networks.
  • Disable the HTTP management interface entirely if the router does not need to be accessed via HTTP from the network.
  • Monitor router logs for repeated incomplete request patterns and be prepared with a documented procedure for a physical power cycle whenever the device crashes.

Generated by OpenCVE AI on June 3, 2026 at 18:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Title HTTP Denial of Service via Incomplete Requests on Mercusys AC12G Router
Weaknesses CWE-400

Wed, 03 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Description Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 is vulnerable to a HTTP denial of service via a low number of crafted incomplete HTTP requests, causing a persistent crash that requires physical power cycling to recover.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-03T18:35:11.458Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36605

cve-icon Vulnrichment

Updated: 2026-06-03T18:35:07.876Z

cve-icon NVD

Status : Received

Published: 2026-06-03T18:16:21.550

Modified: 2026-06-03T19:16:27.383

Link: CVE-2026-36605

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T18:30:36Z

Weaknesses