Can you explain this vulnerability to me?

CVE-2026-36615 affects the Mercusys AC12G (EU) V1 router with firmware versions AC12G(EU)_V1_200909 and AC12G(EU)_V1_210128.

The vulnerability involves an undocumented `/agileconfigreset` endpoint that leaks internal buffer contents to unauthenticated attackers on the same network.

This endpoint accepts POST requests without authentication and returns a malformed response containing 128 bytes from the internal HTTP header parse buffer, which includes parsed HTTP headers from the current request in a null-separated format.

GET requests to this endpoint return a 403 Forbidden error, so the issue only occurs with POST requests.

The vulnerability is classified as medium severity with a CVSS v3.1 score of 4.3 and is related to sensitive information exposure.

The affected product is end-of-life with no planned fixes.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability allows unauthenticated attackers on the adjacent network to access internal buffer contents of the router by sending POST requests to an undocumented endpoint.

The leaked buffer contains sensitive information such as parsed HTTP headers from the current request, which could potentially be used to gather information about network traffic or the device's internal state.

Since the endpoint is undocumented and unauthenticated, attackers can exploit this without any credentials, increasing the risk of information disclosure.

Because the product is end-of-life with no planned fixes, the vulnerability remains unpatched, leaving affected devices exposed.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by sending an unauthenticated POST request to the undocumented /agileconfigreset endpoint on the Mercusys AC12G (EU) V1 router and observing the response.

A successful detection will return a malformed response containing 128 bytes of internal HTTP header parse buffer data, which includes parsed HTTP headers in a null-separated format.

GET requests to this endpoint will return a 403 Forbidden error, so detection must use POST requests.

• Use curl to send a POST request: curl -X POST http://<router-ip>/agileconfigreset -v
• Check the response for unexpected buffer content or malformed data indicating the leak.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include restricting access to the router's management interface to trusted networks only, preventing unauthenticated access from adjacent networks.

Since the affected product is end-of-life with no planned fixes, consider removing or blocking access to the undocumented /agileconfigreset endpoint if possible.

Implement network-level controls such as firewall rules to block POST requests to /agileconfigreset.

Ultimately, replacing the affected device with a supported model that does not contain this vulnerability is recommended.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability in Mercusys AC12G (EU) V1 firmware exposes internal buffer contents to unauthenticated attackers on the adjacent network, leaking sensitive information. This exposure of sensitive data could potentially lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.

Since the vulnerability allows unauthenticated access to internal data, it increases the risk of data breaches, which are subject to strict reporting and remediation requirements under these regulations.

However, the specific impact on compliance depends on the nature of the leaked data and the environment in which the device is deployed.

Useful 0 Not Useful 0