Description
Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 exposes an undocumented /agileconfigreset endpoint that returns internal buffer contents to unauthenticated attackers on the adjacent network.
Published: 2026-06-03
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An undocumented endpoint, /agileconfigreset, in the Mercusys AC12G (EU) V1 firmware reveals internal buffer contents when accessed by an unauthenticated client on the same network. The returned data can include sensitive configuration information and potentially expose authentication credentials or other proprietary information. Because no authentication is required, an attacker who can reach the device locally can read this data and potentially use it for further exploitation.

Affected Systems

Mercusys AC12G (EU) V1 running firmware AC12G(EU)_V1_200909. The flaw is specific to this version of the firmware; no other affected versions are mentioned in the advisory.

Risk and Exploitability

No publicly available CVSS or EPSS score is listed, and the vulnerability is not in the CISA KEV catalog. The lack of authentication combined with the leakage of internal buffer data makes this a serious information‑disclosure risk that is exploitable from any host on the adjacent local network. An attacker needs only network access and no credentials to trigger the vulnerability, implying high operational risk for devices in untrusted networks.

Generated by OpenCVE AI on June 3, 2026 at 18:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the device firmware to a version that removes or disables the /agileconfigreset endpoint
  • Configure network segmentation or firewall rules to block local‑network access to the device’s web interface
  • Apply a local host block or port filter to deny unauthenticated access to the /agileconfigreset endpoint

Generated by OpenCVE AI on June 3, 2026 at 18:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Title Undocumented /agileconfigreset Endpoint Reveals Internal Buffer Contents to Unauthenticated Network Attacks
Weaknesses CWE-200

Wed, 03 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Description Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 exposes an undocumented /agileconfigreset endpoint that returns internal buffer contents to unauthenticated attackers on the adjacent network.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-03T18:37:35.433Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36615

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-03T18:16:22.750

Modified: 2026-06-03T18:16:22.750

Link: CVE-2026-36615

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T18:30:36Z

Weaknesses