Executive Summary

CVE-2026-36607 affects the Mercusys AC12G (EU) V1 router with specific firmware versions. The vulnerability is an authentication rate limit bypass in the TDDP password change endpoint (operation code 10). Unlike the login endpoint, which locks out an IP after 5 failed attempts, the password change endpoint allows unlimited brute-force attempts without any lockout.

This means an attacker on the local network can try thousands of password guesses per second to gain administrative access. The password encoding uses a static XOR with a hardcoded salt and alphabet substitution, making it easier to crack. When combined with another vulnerability (CVE-2026-36604), it could be exploited remotely via a victim's browser.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker to gain full administrative access to the affected router by brute-forcing the password without any rate limiting or lockout.

• DNS hijacking
• Firewall manipulation
• WiFi credential extraction
• Firmware modification

Since the router is end-of-life with no planned fixes, these impacts can be long-lasting and severe.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for high-speed brute-force attempts targeting the TDDP password change endpoint (operation code 10) on the Mercusys AC12G (EU) V1 router. Since the endpoint allows unlimited password attempts without lockout, unusually high numbers of password change requests from a single IP or multiple IPs on the adjacent network may indicate exploitation attempts.

To detect such activity, you can use network monitoring tools or packet capture utilities to filter and analyze traffic directed at the router's TDDP password change endpoint.

• Use tcpdump or Wireshark to capture packets targeting the router's management interface and filter for requests with operation code 10.
• Example tcpdump command to capture traffic to the router's IP on the relevant port (replace <router_ip> and <port>):
• tcpdump -i <interface> host <router_ip> and port <port> -w capture.pcap
• Analyze the capture for repeated password change requests (operation code 10) without corresponding lockouts.
• Check router logs if available for repeated password change attempts without lockout or rate limiting.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the router's management interface to trusted devices only, ideally by isolating the router management network or using VLANs.

Since the vulnerability allows unlimited brute-force attempts on the password change endpoint without lockout, you should monitor for suspicious activity and consider disabling remote management if enabled.

Additional steps include changing the default router password to a strong, unique password to reduce the risk of successful brute-force attacks.

Because the affected product is end-of-life with no planned fixes, long-term mitigation involves replacing the device with a supported model that implements proper authentication rate limiting and account lockout mechanisms.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthenticated attackers to gain full administrative access to the affected router by brute-forcing the password change endpoint without rate limiting or account lockout.

Such unauthorized access can lead to manipulation of DNS settings, firewall rules, WiFi credentials, and firmware, potentially resulting in data breaches or unauthorized data access.

Consequently, this poses significant risks to the confidentiality, integrity, and availability of data handled by the device, which can impact compliance with data protection regulations such as GDPR and HIPAA that require safeguarding personal and sensitive information.

Failure to mitigate this vulnerability may result in non-compliance with these standards due to inadequate security controls and increased risk of data compromise.

Useful 0 Not Useful 0