Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-36605

CVE-2026-36605: Mercusys AC12G Router DoS Vulnerability

CVE-2026-36605 is a denial of service vulnerability in Mercusys AC12G (EU) V1 router that causes persistent crashes via crafted HTTP requests. This article covers the technical details, affected firmware versions, and mitigation.

Published:

CVE-2026-36605 Overview

CVE-2026-36605 is a denial-of-service vulnerability in the Mercusys AC12G (EU) V1 wireless router running firmware version AC12G(EU)_V1_200909. An attacker on the adjacent network can send a low number of crafted incomplete HTTP requests to the router's web management interface. These requests cause a persistent crash of the device. Recovery requires a physical power cycle, leaving the affected network without routing or wireless connectivity until manual intervention occurs. The flaw is categorized under uncontrolled resource consumption [CWE-400].

Critical Impact

A small volume of malformed HTTP requests from an adjacent attacker disables routing and wireless services until the device is manually power cycled.

Affected Products

  • Mercusys AC12G (EU) V1 router
  • Firmware version AC12G(EU)_V1_200909
  • Embedded HTTP management service on the affected firmware

Discovery Timeline

  • 2026-06-03 - CVE-2026-36605 published to NVD
  • 2026-06-03 - Last updated in NVD database

Technical Details for CVE-2026-36605

Vulnerability Analysis

The Mercusys AC12G (EU) V1 router exposes an HTTP-based management interface on the local network. The interface fails to safely handle incomplete HTTP requests. According to the published advisory, a low number of crafted partial requests is sufficient to trigger a persistent crash. The router does not recover on its own and does not reinitialize the HTTP service or network stack. All routing, DHCP, DNS forwarding, and wireless services depending on the device become unavailable until an operator performs a physical power cycle.

Root Cause

The root cause is uncontrolled resource consumption in the HTTP request handler [CWE-400]. The handler does not enforce timeouts, request completeness checks, or per-client connection limits when receiving incomplete request streams. Once internal resources or state are exhausted by the malformed inputs, the service enters a non-recoverable state. The condition propagates beyond the HTTP daemon and impacts overall device availability.

Attack Vector

Exploitation requires access to the adjacent network, such as the LAN or Wi-Fi segments served by the router. No authentication and no user interaction are required. An attacker connects to the device's HTTP management port and transmits a small set of crafted incomplete requests, similar in nature to slow HTTP request patterns. The router crashes and stops serving traffic. The full technical write-up is available in the GitHub Security Advisory.

No verified proof-of-concept code is included in this article. See the linked advisory for request structure details.

Detection Methods for CVE-2026-36605

Indicators of Compromise

  • Sudden loss of LAN and Wi-Fi connectivity provided by a Mercusys AC12G (EU) V1 router with no power or hardware fault.
  • Management interface on the router becomes unreachable while the device still appears powered on.
  • Repeated incidents where service only resumes after a manual power cycle of the router.

Detection Strategies

  • Monitor for short bursts of incomplete or malformed HTTP requests directed at the router's management IP address.
  • Correlate router availability loss with prior HTTP traffic patterns from adjacent network clients.
  • Track connection attempts to the router's HTTP port from unexpected internal hosts, particularly IoT or guest network devices.

Monitoring Recommendations

  • Enable uptime and ICMP reachability monitoring against the router from a trusted internal host.
  • Log DHCP lease activity to identify clients active immediately before connectivity loss.
  • Where supported, mirror LAN traffic destined for the router's management port to a network sensor for inspection.

How to Mitigate CVE-2026-36605

Immediate Actions Required

  • Restrict access to the router's HTTP management interface to a single trusted administrative host on the LAN.
  • Disable remote and Wi-Fi-side access to the management interface where the firmware allows it.
  • Segment untrusted devices, including IoT and guest endpoints, onto a separate network that cannot reach the router's management IP.

Patch Information

No vendor patch is referenced in the NVD entry or the linked advisory at the time of publication. Users of Mercusys AC12G (EU) V1 on firmware AC12G(EU)_V1_200909 should monitor the GitHub Security Advisory and the Mercusys support channels for an updated firmware release.

Workarounds

  • Place the router behind network access controls that limit who can reach TCP ports used by the management web server.
  • Replace the affected device with a supported router model if a fixed firmware is not available within an acceptable timeframe.
  • Establish an out-of-band recovery procedure, such as a smart power outlet, to reduce downtime when a crash occurs.
bash
# Example: restrict access to the router management interface on a Linux gateway upstream
# Replace 192.0.2.10 with the admin workstation and 192.0.2.1 with the router IP
iptables -A FORWARD -s 192.0.2.10 -d 192.0.2.1 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -d 192.0.2.1 -p tcp --dport 80 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne