CVE-2026-36606 - Vulnerability Details

- Hardcoded DES Key in Router Backup Enables Credential Exposure

Description

Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 encrypts configuration backups with a hardcoded DES key using single DES in ECB mode. An attacker who obtains a backup file can decrypt it to recover all stored credentials including admin password, WiFi PSK, and DDNS credentials.

Published: 2026-06-03

Score: 7.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises from the router’s use of a hardcoded DES key and single DES in ECB mode to encrypt configuration backups. This weak encryption scheme allows an attacker who obtains a backup file to decrypt it and recover all credentials stored within, including the admin password, WiFi PSK, and DDNS credentials. The root weakness involves the use of a hardcoded DES key (CWE-798). Based on available information, it is inferred that an attacker could obtain the backup file through the router’s web interface or by physical access.

Affected Systems

Mercusys AC12G (EU) V1 router running firmware AC12G(EU)_V1_200909.

Risk and Exploitability

The attack requires access to the backup file, which can be obtained through the router’s web interface or by physical access. The CVSS score of 7.1 indicates moderate‑to‑high severity for sensitive data exposure, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. The potential impact is significant for networks where the backup contains credentials that could compromise the router, neighboring devices, or the broader network domain.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

Vendor Product Confidence Versions

Mercusys

Ac12g

100%

Version	Status	Scheme	Platform
`V1_200909`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the router firmware to a version that removes the hardcoded DES key for backup encryption.
Disable or restrict the backup download feature via the router’s management interface or ACLs to prevent unauthorized access.
If an update is unavailable, copy backups to a secure location and encrypt them with a strong algorithm before storing them.
Consider resetting the router and configuring new credentials so that any remaining vulnerability in the backup file no longer affects the current configuration.

Generated by OpenCVE AI on June 3, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00104.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/Tymbark7372/MERCUSYS-AC12G/blob/master/advisories/CVE-2026-36606.md

History

Fri, 05 Jun 2026 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mercusys Mercusys ac12g
Vendors & Products		Mercusys Mercusys ac12g

Wed, 03 Jun 2026 23:45:00 +0000

Type	Values Removed	Values Added
Title		Hardcoded DES Key in Router Backup Enables Credential Exposure

Wed, 03 Jun 2026 21:15:00 +0000

Type	Values Removed	Values Added
Title	Hardcoded DES Key Enables Decryption of Backups and Exposure of Credentials
Weaknesses	CWE-200 CWE-256 CWE-310

Wed, 03 Jun 2026 19:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-798
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 03 Jun 2026 18:45:00 +0000

Type	Values Removed	Values Added
Title		Hardcoded DES Key Enables Decryption of Backups and Exposure of Credentials
Weaknesses		CWE-200 CWE-256 CWE-310

Wed, 03 Jun 2026 17:45:00 +0000

Type	Values Removed	Values Added
Description		Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 encrypts configuration backups with a hardcoded DES key using single DES in ECB mode. An attacker who obtains a backup file can decrypt it to recover all stored credentials including admin password, WiFi PSK, and DDNS credentials.
References		https://github.com/Tymbark7372/MERCUSYS-AC12G/blob/master/advisories/CVE-2026-36606.md

Subscriptions

Mercusys Ac12g

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-06-03T00:00:00.000Z

Updated: 2026-06-03T18:32:24.969Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36606

Vulnrichment

Updated: 2026-06-03T18:32:19.105Z

NVD

Status : Deferred

Published: 2026-06-03T18:16:21.677

Modified: 2026-06-04T15:41:35.193

Link: CVE-2026-36606

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-05T10:12:31Z

Weaknesses

CWE-798
Use of Hard-coded Credentials

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object