CVE-2026-36606
Mercusys AC12G (EU) V1 Firmware Hardcoded DES Key Configuration Backup Decryption
Publication date: 2026-06-03
Last updated on: 2026-06-03
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mercusys | ac12g | ac12g(eu)_v1_200909 |
| mercusys | ac12g | ac12g(eu)_v1_210128 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-798 | The product contains hard-coded credentials, such as a password or cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability exposes sensitive credentials such as admin passwords, WiFi PSKs, and DDNS credentials by using weak encryption with a hardcoded DES key. Such exposure of sensitive data can lead to unauthorized access and data breaches.
Because the vulnerability allows attackers to decrypt configuration backups and recover sensitive information, it undermines the confidentiality and integrity of data, which are key requirements under common standards and regulations like GDPR and HIPAA.
Failure to protect sensitive credentials adequately may result in non-compliance with these regulations, potentially leading to legal and financial consequences for organizations using the affected devices.
Can you explain this vulnerability to me?
CVE-2026-36606 affects the Mercusys AC12G (EU) V1 router with firmware versions AC12G(EU)_V1_200909 and AC12G(EU)_V1_210128. The vulnerability arises because the router encrypts configuration backups using a hardcoded DES key in ECB mode.
This means that an attacker who obtains a backup file can decrypt it using the known, shared DES key, exposing sensitive information such as the admin password, WiFi PSKs, PPPoE credentials, DDNS details, and guest network credentials.
The encryption method is weak because it uses single DES with a 56-bit key, which is easily brute-forced, and the same hardcoded key is used across multiple devices, increasing the risk.
How can this vulnerability impact me? :
If an attacker obtains a configuration backup file from the affected router, they can decrypt it to recover all stored credentials, including the admin password, WiFi passwords, and other sensitive network credentials.
This can lead to unauthorized access to the router's administrative interface and network, potentially allowing the attacker to control the device, intercept network traffic, or launch further attacks within the network.
Although downloading the backup requires authentication, once the backup file is obtained, the encryption provides no meaningful protection.
Additionally, the affected product is end-of-life with no planned fixes, meaning the vulnerability cannot be patched.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if your Mercusys AC12G (EU) V1 router is running the affected firmware versions AC12G(EU)_V1_200909 or AC12G(EU)_V1_210128.
Additionally, detection involves obtaining a configuration backup file from the device and attempting to decrypt it using the known hardcoded DES key (0x478DA50BF9E3D2CF). If the backup decrypts successfully revealing sensitive credentials, the device is vulnerable.
Since the backup file requires authentication to download, commands or scripts that automate backup retrieval with valid credentials can be used to obtain the file for analysis.
Specific commands are not provided in the resources, but typical steps include:
- Use router management interface or scripts to download the configuration backup.
- Use a DES decryption tool or script with the hardcoded key 0x478DA50BF9E3D2CF in ECB mode to decrypt the backup file.
- Check the decrypted output for sensitive credentials such as admin password, WiFi PSK, and DDNS credentials.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Avoid using the configuration backup feature to prevent exposure of sensitive credentials.
- Restrict access to the router's management interface to trusted users only.
- Change all exposed credentials (admin password, WiFi PSK, DDNS credentials) if you suspect the backup file has been accessed.
- Consider replacing the affected device since it is end-of-life and no firmware fixes are planned.
Long-term remediation involves using devices that implement strong encryption (e.g., AES-256 with device-specific keys and authenticated encryption modes like AES-GCM) instead of hardcoded DES keys.