Executive Summary

CVE-2026-36613 is a vulnerability in the Mercusys AC12G (EU) V1 router firmware versions AC12G(EU)_V1_200909 and AC12G(EU)_V1_210128. It occurs because the HTTP POST request handler in the router's VxWorks HTTP server leaks 128 bytes of uninitialized internal buffer contents when it receives POST requests to undefined or unrecognized paths or invalid operation codes.

This leaked buffer contains null-separated HTTP header key-value pairs from previously processed requests, and if the POST request includes a body, an additional 67 bytes of adjacent heap memory are leaked, exposing fragments of HTTP response templates from earlier operations.

The vulnerability can be triggered by any device on the local network without authentication, and the server responds with raw buffer data before any HTTP status line, violating HTTP protocol standards.

The affected product is end-of-life with no planned fixes, and the issue is rated as Medium severity with a CVSS v3.1 score of 5.3.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability causes the Mercusys AC12G (EU) V1 router to leak internal server state and fragments of HTTP response templates to unauthenticated adjacent network attackers. This exposure of potentially sensitive information could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access.

Since the vulnerability allows leakage of internal memory contents without authentication, it may result in unauthorized disclosure of information, violating confidentiality requirements mandated by these standards.

However, the exact impact on compliance depends on the nature of the leaked data and whether it includes personal or protected health information. The affected product is end-of-life with no planned fixes, which further complicates compliance efforts.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can expose sensitive internal server state information to unauthenticated attackers on the local network. The leaked data includes HTTP header information and fragments of HTTP response templates from previous requests.

Because the leaked memory addresses remain stable due to the lack of ASLR in VxWorks, attackers could potentially use this information to aid further exploitation or reconnaissance of the device.

Overall, this could lead to information disclosure that might help attackers understand the internal workings of the router, potentially facilitating more advanced attacks.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by sending HTTP POST requests to undefined or unrecognized paths on the Mercusys AC12G (EU) V1 router and observing the response for leaked internal buffer contents.

• Send a POST request to paths such as /admin, /config, or /firmware that are not defined on the device.
• Use curl or similar tools to send these requests from a device on the local network.
• Example command: curl -X POST http://<router-ip>/admin -d 'test=data' -v
• Check if the response contains 128 bytes of uninitialized internal buffer data or additional leaked heap memory, which indicates the vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the affected device from untrusted or adjacent network devices to prevent exploitation.

Since the affected product is end-of-life with no planned fixes, consider the following:

• Limit network access to the router by using firewall rules or network segmentation.
• Avoid sending HTTP POST requests to undefined paths on the device.
• Monitor network traffic for suspicious POST requests targeting undefined paths.

Long term, replace the device with a supported model that receives security updates.

Useful 0 Not Useful 0