CVE-2026-36612
WPS 2.0 Weak Lockout Policy in Mercusys AC12G (EU) V1
Publication date: 2026-06-03
Last updated on: 2026-06-03
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mercusys | ac12g | ac12g(eu)_v1_200909 |
| mercusys | ac12g | ac12g(eu)_v1_210128 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can allow an attacker to gain unauthorized access to your WiFi network by recovering the WiFi credentials through a brute-force attack on the WPS PIN.
Once the attacker obtains the WiFi credentials, they can gain full access to your local area network (LAN), potentially exposing all connected devices and data.
Because the lockout policy is weak, the attacker can attempt multiple PIN guesses with minimal delay, increasing the risk of a successful attack.
Can you explain this vulnerability to me?
CVE-2026-36612 affects the Mercusys AC12G (EU) V1 router with firmware versions AC12G(EU)_V1_200909 and AC12G(EU)_V1_210128.
The vulnerability involves WPS 2.0 being enabled by default with a weak lockout policy that allows only 10 failed PIN attempts before a 60-second lockout.
The AP PIN is predictably derived from the BSSID MAC address using a specific algorithm, making it vulnerable to brute-force attacks.
An attacker who predicts the PIN and activates WPS PIN mode can recover WiFi credentials in a single attempt, gaining full LAN access.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Mercusys AC12G (EU) V1 router is running firmware versions AC12G(EU)_V1_200909 or AC12G(EU)_V1_210128 and if WPS 2.0 is enabled by default with a weak lockout policy.
You can verify if WPS is enabled on your router by accessing the router's web interface or using network scanning tools that detect WPS status.
For command-line detection, you might use tools like 'wash' from the Reaver suite to scan for WPS-enabled access points and check their lockout policies.
- wash -i <interface> -c <channel> -s
- Reaver can be used to test the WPS PIN attempts and observe lockout behavior.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling WPS on the Mercusys AC12G (EU) V1 router if possible.
If disabling WPS is not possible, consider increasing the lockout duration to at least one hour and reducing the maximum number of PIN attempts to three.
Since the affected product is end-of-life with no planned fixes, replacing the device with a more secure router that does not have this vulnerability is recommended.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Mercusys AC12G (EU) V1 routers allows an attacker to recover WiFi credentials and gain full LAN access due to a weak WPS lockout policy and predictable PIN generation. This unauthorized access risk could lead to exposure of sensitive data, potentially impacting compliance with data protection standards such as GDPR and HIPAA, which require adequate security measures to protect personal and health information.
Specifically, the ability to brute-force the WPS PIN and access the network compromises the confidentiality and integrity of data transmitted over the network, which is a critical requirement under these regulations. Organizations using this device without mitigation may fail to meet security controls mandated by these standards.
Remediation steps such as disabling WPS by default, increasing lockout duration, and improving PIN generation are necessary to reduce the risk and help maintain compliance.