Description
Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 uses a static authentication nonce that does not change between requests from the same source IP. Combined with the predictable XOR-based password encoding (securityEncode function), this allows an attacker to reverse captured authentication tokens to recover the plaintext password.
Published: 2026-06-03
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability exists in the authentication mechanism of the Mercusys AC12G router, where a static nonce used in the login process combined with a simple XOR-based password encoding allows attackers who capture the authentication token to recover the actual password. The weakness, described by CWE-326, may lead to credential compromise, enabling attackers to log in and potentially manipulate the router or pivot to other devices on the network. No privilege escalation or arbitrary code execution is described, but loss of confidentiality and integrity of network communication result.

Affected Systems

Only the Mercusys AC12G (EU) V1 router running firmware AC12G(EU)_V1_200909 is affected. Users of older or newer firmware versions may not be impacted, but the vulnerability is specific to this build.

Risk and Exploitability

EPSS score is not available and the vulnerability is not in CISA KEV. The CVSS score is not provided. The attack vector is likely passive sniffing of the authentication traffic to obtain the token. Attackers with access to the local network or the ability to intercept the authentication sequence can reverse the XOR encoding purely through the static nonce and recover the plaintext password. As no mitigations are listed, this vulnerability remains open for exploitation until a firmware update is deployed.

Generated by OpenCVE AI on June 3, 2026 at 18:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update from Mercusys that replaces the static nonce with a dynamic one and uses secure password hashing.
  • If an update is not available, disable remote administration or restrict access to trusted IP addresses to reduce exposure.
  • Monitor the network for repeated authentication attempts and employ network segmentation to isolate the router from critical assets.

Generated by OpenCVE AI on June 3, 2026 at 18:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Title Static Nonce and Predictable XOR Encoding Enable Recovery of Plaintext Passwords on Mercusys AC12G Router
Weaknesses CWE-326

Wed, 03 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Description Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 uses a static authentication nonce that does not change between requests from the same source IP. Combined with the predictable XOR-based password encoding (securityEncode function), this allows an attacker to reverse captured authentication tokens to recover the plaintext password.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-03T16:09:04.378Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36609

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-03T18:16:22.063

Modified: 2026-06-03T18:16:22.063

Link: CVE-2026-36609

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T18:30:36Z

Weaknesses