Description
Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 encrypts configuration backups with a hardcoded DES key using single DES in ECB mode. An attacker who obtains a backup file can decrypt it to recover all stored credentials including admin password, WiFi PSK, and DDNS credentials.
Published: 2026-06-03
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from the router’s use of a hardcoded DES key and Single DES in ECB mode to encrypt configuration backups. This weak encryption scheme allows an attacker who obtains a backup file to decrypt the backup and recover all credentials stored within, including the admin password, WiFi pre‑shared key, and DDNS credentials. The root weakness is the use of a hardcoded key (CWE‑256) in a weak cipher mode (CWE‑310), which directly leads to confidential information disclosure (CWE‑200).

Affected Systems

Mercusys AC12G (EU) V1 router running firmware AC12G(EU)_V1_200909.

Risk and Exploitability

The attack requires that the attacker obtain a backup file. While the CVSS score is not disclosed, the exposure of all stored credentials indicates a high potential impact if the file is accessed. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an attacker who can read or download the backup via the router’s management interface or by physical access to the backup file. Given the severe information disclosure, the potential for compromise is significant, particularly if the router is part of a critical or exposed network environment.

Generated by OpenCVE AI on June 3, 2026 at 18:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the router firmware to a version that no longer uses a hardcoded DES key for backup encryption.
  • Disable or restrict access to the backup download functionality through the web interface or by adjusting ACLs.
  • Store any exported backups only after applying an additional encryption step, and keep them in a secure location.
  • If no firmware update is available, consider resetting the router and configuring new credentials to mitigate the risk, as the original encrypted backup remains vulnerable.

Generated by OpenCVE AI on June 3, 2026 at 18:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-798
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Title Hardcoded DES Key Enables Decryption of Backups and Exposure of Credentials
Weaknesses CWE-200
CWE-256
CWE-310

Wed, 03 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Description Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 encrypts configuration backups with a hardcoded DES key using single DES in ECB mode. An attacker who obtains a backup file can decrypt it to recover all stored credentials including admin password, WiFi PSK, and DDNS credentials.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-03T18:32:24.969Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36606

cve-icon Vulnrichment

Updated: 2026-06-03T18:32:19.105Z

cve-icon NVD

Status : Received

Published: 2026-06-03T18:16:21.677

Modified: 2026-06-03T19:16:31.350

Link: CVE-2026-36606

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T18:30:36Z

Weaknesses