CVE-2026-36606 Overview
CVE-2026-36606 affects the Mercusys AC12G (EU) V1 router running firmware AC12G(EU)_V1_200909. The device encrypts configuration backups using single Data Encryption Standard (DES) in Electronic Code Book (ECB) mode with a hardcoded key embedded in the firmware. An attacker who obtains a backup file can decrypt it and recover all stored credentials, including the administrator password, WiFi Pre-Shared Key (PSK), and Dynamic DNS (DDNS) credentials. The weakness is tracked under CWE-798: Use of Hard-coded Credentials.
Critical Impact
Decryption of an exported configuration backup exposes the admin password, WiFi PSK, and DDNS credentials, enabling full router takeover and lateral access to the wireless network.
Affected Products
- Mercusys AC12G (EU) V1
- Firmware version AC12G(EU)_V1_200909
- Configuration backup export functionality
Discovery Timeline
- 2026-06-03 - CVE-2026-36606 published to the National Vulnerability Database (NVD)
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-36606
Vulnerability Analysis
The Mercusys AC12G (EU) V1 router provides a configuration backup feature that exports device settings to a downloadable file. The firmware encrypts this file using single DES in ECB mode with a static key compiled into the binary. Because the key is identical across all units of the same firmware build, any party with access to the firmware image can extract the key and decrypt backups from any other device running the same firmware.
Single DES uses a 56-bit effective key length and is considered obsolete for confidentiality protection. ECB mode further weakens the construction by encrypting each block independently, which leaks structural patterns in the plaintext. Combined with the hardcoded key, the backup file offers no meaningful protection against an attacker who obtains it.
The attack is local because the attacker must first acquire the backup file, typically by authenticating to the web interface as a low-privileged user, capturing a transferred backup, or recovering it from a workstation that stored it.
Root Cause
The root cause is the use of a hardcoded symmetric key for backup encryption combined with a deprecated cipher and weak mode of operation. Extracting the key from the firmware reduces the encryption to obfuscation. The design violates secure key management principles, which require per-device or per-user key derivation rather than embedded constants.
Attack Vector
An attacker authenticates to the router with low privileges and triggers a configuration export, or recovers a previously saved backup file from an administrator's workstation. The attacker then reverse engineers the firmware to obtain the static DES key and decrypts the file offline. The recovered plaintext contains the admin password, WiFi PSK, and DDNS credentials in clear form, enabling administrative takeover and network compromise.
The vulnerability mechanism is documented in the GitHub Advisory for CVE-2026-36606. No proof-of-concept exploit code is published in the NVD record.
Detection Methods for CVE-2026-36606
Indicators of Compromise
- Unexpected configuration backup downloads from the router's web interface logged outside normal administrative windows.
- Unauthorized changes to WiFi PSK, admin password, or DDNS settings following access to a backup file.
- Presence of router backup files (typically .bin or .cfg) on user endpoints or in cloud storage that should not retain such artifacts.
Detection Strategies
- Inspect router administrative logs for configuration export events and correlate them with the authenticated source IP address.
- Monitor file shares and endpoints for stored router backup files and flag their presence for review.
- Alert on WiFi or admin credential changes that occur without a corresponding administrative ticket or change request.
Monitoring Recommendations
- Capture authentication events to the router management interface and forward them to a centralized log store for analysis.
- Track DDNS configuration updates from the affected router, since stolen DDNS credentials can be reused to redirect external services.
- Watch for new wireless clients connecting after a known backup file exposure event.
How to Mitigate CVE-2026-36606
Immediate Actions Required
- Treat any previously exported backup file as compromised and rotate the admin password, WiFi PSK, and DDNS credentials.
- Restrict access to the router management interface to trusted administrators on a dedicated management VLAN.
- Delete stored backup files from workstations, email, and cloud storage where they are no longer required.
Patch Information
No vendor patch is referenced in the NVD entry for CVE-2026-36606 at the time of publication. Consult the GitHub Advisory for CVE-2026-36606 and the Mercusys support site for firmware updates addressing the hardcoded DES key issue.
Workarounds
- Avoid using the built-in configuration backup feature until a firmware fix replaces single DES with an authenticated cipher and per-device key.
- Store any required backups in an external encrypted container, such as a password manager or an AES-encrypted archive, rather than relying on the router's protection.
- Segment the router's management network from general user traffic to reduce the chance that a low-privileged account can reach the backup export function.
# Configuration example: limit management access to a trusted host
# Example firewall rule on an upstream device (illustrative only)
iptables -A FORWARD -p tcp -d <router_ip> --dport 80 -s <admin_workstation_ip> -j ACCEPT
iptables -A FORWARD -p tcp -d <router_ip> --dport 80 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
