Executive Summary

CVE-2026-36610 affects the Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909. The vulnerability involves the transmission of Dynamic DNS (DDNS) credentials over plaintext HTTP, where the credentials are only encoded using Base64, which is easily reversible.

Because the firmware does not implement TLS or SSL, these credentials can be intercepted by anyone monitoring the network, such as ISPs, WiFi eavesdroppers, or man-in-the-middle attackers.

This means sensitive information like DDNS service credentials can be exposed during transmission to DDNS providers.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can lead to the exposure of your DDNS credentials to attackers who can intercept network traffic.

With these credentials, an attacker could potentially gain unauthorized access to your DDNS service, which might allow them to redirect your domain name services or disrupt your network connectivity.

This exposure increases the risk of man-in-the-middle attacks and compromises the confidentiality of your network communications.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring network traffic for DDNS credential transmissions over plaintext HTTP. Since the credentials are only Base64 encoded and not encrypted, capturing HTTP traffic to DDNS providers like DynDNS or No-IP can reveal sensitive information.

• Use packet capture tools such as Wireshark or tcpdump to filter HTTP traffic on your network.
• Example tcpdump command to capture HTTP traffic: tcpdump -i <interface> -A 'tcp port 80 and host <DDNS_provider_IP_or_hostname>'
• Inspect captured HTTP packets for Base64 encoded strings in the DDNS credential fields, which can be decoded to verify if credentials are transmitted in plaintext.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include avoiding the use of the vulnerable Mercusys AC12G (EU) V1 firmware versions that transmit DDNS credentials without encryption.

Since the affected product is end-of-life with no planned fixes, the recommended action is to implement TLS for outbound connections or use DDNS providers that support HTTPS endpoints to protect credential transmission.

Alternatively, consider replacing the vulnerable device with a router that supports secure DDNS credential transmission over TLS/SSL.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability involves transmitting DDNS credentials in plaintext over HTTP with only Base64 encoding, which is easily reversible. This cleartext transmission of sensitive information can lead to unauthorized interception of credentials by attackers.

Such insecure transmission of sensitive data likely violates common security requirements in standards and regulations like GDPR and HIPAA, which mandate protecting personal and sensitive information during transmission to prevent unauthorized access.

Because the firmware lacks TLS or SSL implementation, it fails to provide adequate protection for credentials in transit, potentially leading to non-compliance with these regulations' data protection and privacy requirements.

Useful 0 Not Useful 0