CVE-2026-36609
Deferred Deferred - Pending Action
Static Authentication Nonce and XOR Password Encoding in Mercusys AC12G (EU) V1 Router

Publication date: 2026-06-03

Last updated on: 2026-06-03

Assigner: MITRE

Description
Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 uses a static authentication nonce that does not change between requests from the same source IP. Combined with the predictable XOR-based password encoding (securityEncode function), this allows an attacker to reverse captured authentication tokens to recover the plaintext password.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-03
Generated
2026-06-16
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-14
NVD
CVE-2026-36609
EUVD
EUVD-2026-34148
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
mercusys ac12g ac12g(eu)_v1_200909
mercusys ac12g ac12g(eu)_v1_210128
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-341 A number or object is predictable based on observations that the attacker can make about the state of the system or network, such as time, process ID, etc.
CWE-327 The product uses a broken or risky cryptographic algorithm or protocol.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-36609 affects the Mercusys AC12G (EU) V1 router with firmware versions AC12G(EU)_V1_200909 and AC12G(EU)_V1_210128. The vulnerability arises because the router uses a static authentication nonce that does not change between requests from the same source IP.

This static nonce, combined with a predictable XOR-based password encoding method, allows an attacker to reverse captured authentication tokens to recover the plaintext password.

The router's authentication protocol uses a fixed 32-character nonce generated once per boot per source IP, and the session token is computed using this static nonce and other static values, making it fully reversible.

Because the nonce and other inputs are static, the same password always produces the same session token, which never expires or rotates during a boot cycle.

Impact Analysis

This vulnerability can have several serious impacts:

  • Attackers can recover the plaintext password from a single captured authentication exchange.
  • Captured session tokens can be replayed indefinitely, allowing unauthorized access without needing to know the password again.
  • Attackers can precompute session tokens offline using a password dictionary, facilitating faster attacks.
  • Devices with the same password produce identical session tokens, increasing the risk of compromise across multiple devices.

Additionally, the device is end-of-life with no planned fixes, meaning these risks remain unmitigated.

Detection Guidance

This vulnerability can be detected by capturing and analyzing authentication tokens exchanged between clients and the Mercusys AC12G (EU) V1 router. Since the authentication nonce is static per source IP and the session token is predictable and reversible, you can observe repeated identical session tokens from the same source IP during authentication attempts.

To detect this on your network, you can use packet capture tools such as tcpdump or Wireshark to monitor HTTP authentication traffic to the router and check for static or repeated nonce values and identical session tokens.

  • Use tcpdump to capture traffic on the router's IP and port (usually port 80 or 443): tcpdump -i <interface> host <router_ip> and port 80 -w capture.pcap
  • Open the capture in Wireshark and filter HTTP authentication requests to inspect nonce values and session tokens for repetition or predictability.
  • Look for identical 32-character nonce values and repeated session tokens from the same source IP across multiple authentication attempts.
Mitigation Strategies

Immediate mitigation steps include limiting exposure of the vulnerable router by restricting access to its management interface to trusted networks or IP addresses.

Since the device is end-of-life with no planned fixes, consider replacing the Mercusys AC12G (EU) V1 router with a more secure device that uses proper nonce generation and session token management.

If replacement is not immediately possible, monitor authentication traffic for suspicious repeated tokens and consider changing passwords frequently to reduce the risk of password recovery.

Network segmentation and firewall rules can help reduce the attack surface by limiting who can reach the router's authentication interface.

Compliance Impact

The vulnerability allows attackers to recover plaintext passwords and replay authentication tokens indefinitely due to static nonces and predictable encoding. This compromises the confidentiality and integrity of authentication credentials.

Such a security weakness can lead to unauthorized access to network devices and potentially sensitive data, which may violate common standards and regulations like GDPR and HIPAA that require protection of personal and sensitive information.

Because the device is end-of-life with no planned fixes, organizations using this router may face challenges in maintaining compliance with these regulations, as they must ensure adequate security controls to protect data and authentication mechanisms.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-36609. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart