CVE-2026-36610
Mercusys AC12G (EU) V1 Firmware Plaintext DDNS Credential Transmission
Publication date: 2026-06-03
Last updated on: 2026-06-03
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mercusys | ac12g | ac12g(eu)_v1_200909 |
| mercusys | ac12g | ac12g(eu)_v1_210128 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability involves transmitting DDNS credentials in plaintext over HTTP with only Base64 encoding, which is easily reversible. This cleartext transmission of sensitive information can lead to unauthorized interception of credentials by attackers.
Such insecure transmission of sensitive data likely violates common security requirements in standards and regulations like GDPR and HIPAA, which mandate protecting personal and sensitive information during transmission to prevent unauthorized access.
Because the firmware lacks TLS or SSL implementation, it fails to provide adequate protection for credentials in transit, potentially leading to non-compliance with these regulations' data protection and privacy requirements.
Can you explain this vulnerability to me?
CVE-2026-36610 affects the Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909. The vulnerability involves the transmission of Dynamic DNS (DDNS) credentials over plaintext HTTP, where the credentials are only encoded using Base64, which is easily reversible.
Because the firmware does not implement TLS or SSL, these credentials can be intercepted by anyone monitoring the network, such as ISPs, WiFi eavesdroppers, or man-in-the-middle attackers.
This means sensitive information like DDNS service credentials can be exposed during transmission to DDNS providers.
How can this vulnerability impact me? :
The vulnerability can lead to the exposure of your DDNS credentials to attackers who can intercept network traffic.
With these credentials, an attacker could potentially gain unauthorized access to your DDNS service, which might allow them to redirect your domain name services or disrupt your network connectivity.
This exposure increases the risk of man-in-the-middle attacks and compromises the confidentiality of your network communications.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring network traffic for DDNS credential transmissions over plaintext HTTP. Since the credentials are only Base64 encoded and not encrypted, capturing HTTP traffic to DDNS providers like DynDNS or No-IP can reveal sensitive information.
- Use packet capture tools such as Wireshark or tcpdump to filter HTTP traffic on your network.
- Example tcpdump command to capture HTTP traffic: tcpdump -i <interface> -A 'tcp port 80 and host <DDNS_provider_IP_or_hostname>'
- Inspect captured HTTP packets for Base64 encoded strings in the DDNS credential fields, which can be decoded to verify if credentials are transmitted in plaintext.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of the vulnerable Mercusys AC12G (EU) V1 firmware versions that transmit DDNS credentials without encryption.
Since the affected product is end-of-life with no planned fixes, the recommended action is to implement TLS for outbound connections or use DDNS providers that support HTTPS endpoints to protect credential transmission.
Alternatively, consider replacing the vulnerable device with a router that supports secure DDNS credential transmission over TLS/SSL.