Description
Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 contains hardcoded WiFi driver credentials including a RADIUS shared secret, WPS test key, and default PSK embedded in the production firmware binary.
Published: 2026-06-03
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The firmware of the Mercusys AC12G (EU) V1 includes embedded WiFi driver credentials, a RADIUS shared secret, a WPS test key, and a default pre‑shared key. These hard‑coded credentials enable an attacker to authenticate to the device’s WiFi network without any user input and gain privileged access to the network and the device itself. Once authenticated, an attacker can intercept wireless traffic, add or modify network policies, or use the router as a foothold for further attacks. The nature of the flaw is a credential compromise that undermines network confidentiality and integrity.

Affected Systems

Mercusys AC12G (EU) V1 firmware AC12G(EU)_V1_200909 is affected. No other product or version information was disclosed.

Risk and Exploitability

The EPSS score is not available, and the vulnerability is not listed in KEV, but the existence of hard‑coded credentials poses a high exploitation risk. An attacker with network access to the device can readily exploit the flaw by connecting to the WiFi network using the embedded credentials or by querying the device over the local network. Although a formal CVSS score is not provided, the risk remains significant because the attacker gains both network access and administrative control in one step.

Generated by OpenCVE AI on June 3, 2026 at 18:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Identify and disconnect any devices running the affected firmware from the network
  • Update the router to a firmware version that removes hard‑coded credentials, if such a patch is released
  • Disable WPS and change the default SSID, PSK, and administrative passwords on the device
  • Continuously monitor the network for unauthorized access or anomalous traffic patterns

Generated by OpenCVE AI on June 3, 2026 at 18:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Title Hardcoded WiFi Credentials in Mercusys AC12G Firmware
Weaknesses CWE-798

Wed, 03 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Description Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 contains hardcoded WiFi driver credentials including a RADIUS shared secret, WPS test key, and default PSK embedded in the production firmware binary.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-03T16:13:49.475Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36616

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-03T18:16:22.887

Modified: 2026-06-03T18:16:22.887

Link: CVE-2026-36616

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T18:30:36Z

Weaknesses