The vulnerability in Mercusys AC12G firmware enables WPS 2.0 by default with a weak lockout policy: after ten wrong attempts a 60‑second delay is enforced before a next attempt. This allows an attacker to perform repeated Wi‑Fi protected setup authentications without a prohibitively long wait, making brute‑force attacks feasible and potentially granting unauthorized network access. The weakness is related to an inadequate authentication timeout policy (CWE‑307).

Mercusys AC12G (EU) V1 routers running firmware version AC12G(EU)_V1_200909 are impacted by the default WPS configuration that permits rapid repeated authentication attempts.

No CVSS score is provided in the available data, and the EPSS score is not listed. However, the absence of administrative enforcement of lockout means that an attacker with local network access can brute‑force WPS credentials in a short period, leading to potential unauthorized network access. The vulnerability is not listed in the CISA KEV catalog at this time. The likely attack vector is via the local wireless interface or any device connected to the router’s Wi‑Fi network.