This vulnerability exists in the authentication mechanism of the Mercusys AC12G router, where a static nonce used in the login process combined with a simple XOR‑based password encoding allows attackers who capture the authentication token to recover the actual password. The weakness involves improper cryptographic key reuse (CWE-327) and using an insecure random number generator for the nonce (CWE-341), which may lead to credential compromise, enabling attackers to log in and potentially manipulate the router or pivot to other devices on the network. No privilege escalation or arbitrary code execution is described, but loss of confidentiality and integrity of network communication result.

Only the Mercusys AC12G (EU) V1 router running firmware AC12G(EU)_V1_200909 is affected. Users of older or newer firmware versions may not be impacted, but the vulnerability is specific to this build.

The EPSS score is not available and the vulnerability is not listed in CISA KEV. The CVSS score is 7.3, indicating a high severity. The likely attack vector is passive sniffing of the authentication traffic to obtain the token. Attackers with access to the local network or the ability to intercept the authentication sequence can reverse the XOR encoding purely through the static nonce and recover the plaintext password. Because the weakness enables credential compromise, unauthorized access to the router’s configuration interface becomes possible, potentially leading to further network compromise.