CVE-2026-36616
Hardcoded WiFi Credentials in Mercusys AC12G (EU) V1
Publication date: 2026-06-03
Last updated on: 2026-06-03
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mercusys | ac12g | ac12g(eu)_v1_200909 |
| mercusys | ac12g | ac12g(eu)_v1_210128 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability involves hardcoded WiFi driver credentials and plaintext logging of sensitive keys, which can lead to unauthorized access and credential leakage.
Such exposure of sensitive authentication information could result in non-compliance with common security requirements found in standards and regulations like GDPR and HIPAA, which mandate protection of sensitive data and secure authentication mechanisms.
Specifically, the leakage of credentials and potential unauthorized access could compromise confidentiality and integrity of data, violating principles required by these regulations.
Can you explain this vulnerability to me?
CVE-2026-36616 is a vulnerability in the Mercusys AC12G (EU) V1 firmware where hardcoded WiFi driver credentials are embedded in the production firmware binary.
- These credentials include a RADIUS shared secret, a WPS test key, a default WPA passphrase, and factory AP passwords.
- The hardcoded credentials can become active if configuration fails or certain wireless modes are enabled without proper key setup.
- Additionally, the firmware logs WiFi keys in plaintext via debug or serial output, exposing sensitive information.
This vulnerability is linked to CWE-798 (Use of Hard-coded Credentials) and CWE-1188 (Insecure Default Initialization of Resource) and has a medium severity CVSS score of 6.1.
How can this vulnerability impact me? :
This vulnerability can have several impacts on users of the affected device:
- Potential server impersonation if WPA-Enterprise is enabled due to the default RADIUS shared secret.
- Trivial guessing of the default WPA passphrase in AP Client mode, allowing unauthorized access.
- Exposure of internal infrastructure IP addresses embedded in the firmware.
- Leakage of sensitive credentials through plaintext logging in debug or serial output.
Since the device is end-of-life with no planned fixes, these risks remain unmitigated.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of hardcoded WiFi driver credentials in the Mercusys AC12G (EU) V1 firmware, such as the RADIUS shared secret "ralink", the WPS test key "scaptest", and the default WPA passphrase "12345678".
Additionally, monitoring debug or serial output logs for plaintext credential leaks using format strings like "WPAPSK_KEY=%s" or "APCli_WPAPSK_KEY=%s" can help identify exposure of these credentials.
Suggested commands to detect this vulnerability might include capturing and inspecting wireless device logs or firmware binaries for these known hardcoded credentials and strings.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include removing all development and test credentials from the production firmware, ensuring explicit configuration of RADIUS keys for WPA-Enterprise, and disabling or restricting plaintext credential logging.
Since the affected Mercusys AC12G (EU) V1 device is end-of-life with no planned fixes, it is advisable to avoid using the vulnerable firmware versions and consider replacing the device with a secure alternative.