CVE-2026-36607 Overview
CVE-2026-36607 affects the Mercusys AC12G (EU) V1 wireless router running firmware AC12G(EU)_V1_200909. The TP-Link Device Debug Protocol (TDDP) password change endpoint (code=10) lacks rate limiting and account lockout controls. The login endpoint (code=7) enforces these protections, but the password change handler does not. An attacker on the adjacent network can issue unlimited authentication attempts to recover the administrative password. This weakness is classified under [CWE-307]: Improper Restriction of Excessive Authentication Attempts.
Critical Impact
Unauthenticated attackers on the adjacent network can brute-force the router administrator password without triggering lockout, leading to full device compromise.
Affected Products
- Mercusys AC12G (EU) V1
- Firmware version AC12G(EU)_V1_200909
- TDDP service exposed on the local/adjacent network
Discovery Timeline
- 2026-06-03 - CVE-2026-36607 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-36607
Vulnerability Analysis
The Mercusys AC12G router exposes the TP-Link Device Debug Protocol (TDDP) for configuration and management. TDDP requests are dispatched by a numeric code field that selects the action handler. The login handler (code=7) enforces authentication throttling and lockout after repeated failures. The password change handler (code=10) accepts authentication material but does not share the same throttling logic. The result is an asymmetric control surface where the brute-force protection on one endpoint can be bypassed by targeting a parallel handler that validates the same credential material.
Root Cause
The root cause is missing rate limiting on the TDDP code=10 password change endpoint. The developer applied the lockout control to code=7 but did not extend it to other handlers that perform credential validation. This is a classic [CWE-307] omission, where security controls are not consistently applied across all authentication code paths handling the same secret.
Attack Vector
Exploitation requires adjacent network access, meaning the attacker must reside on the same Layer 2 segment or Wi-Fi network as the router. The attacker repeatedly issues TDDP requests with code=10 and iterates candidate passwords. Because the endpoint does not increment a failure counter or enforce a backoff, the attacker can submit credentials at line speed. Once the password is recovered, the attacker gains administrative control of the router, which enables traffic interception, DNS manipulation, firmware tampering, and pivoting into connected networks.
The vulnerability is described in prose only; no verified proof-of-concept code is published. Refer to the GitHub Security Advisory for the original technical writeup.
Detection Methods for CVE-2026-36607
Indicators of Compromise
- High-frequency TDDP traffic to UDP port 1040 from a single adjacent host
- Repeated requests carrying the TDDP opcode code=10 against the router management interface
- Unexpected administrator password changes or session creation following a burst of TDDP traffic
- New or modified DNS, DHCP, or port-forwarding configuration on the router
Detection Strategies
- Capture LAN-side traffic and alert on volumetric TDDP requests targeting the router IP
- Baseline normal management traffic so non-administrative hosts issuing TDDP code=10 requests are flagged
- Correlate router syslog events for configuration changes with preceding TDDP activity from the same source
Monitoring Recommendations
- Forward router logs and adjacent-network packet metadata to a centralized SIEM or data lake for retention
- Monitor for client devices generating outbound scans or credential-spraying patterns against the gateway
- Track firmware version and configuration drift on the AC12G to identify post-compromise tampering
How to Mitigate CVE-2026-36607
Immediate Actions Required
- Restrict physical and wireless access to the router by disabling open or weakly secured Wi-Fi networks
- Place the router management interface on an isolated VLAN that only trusted administrative hosts can reach
- Replace the default and any previously configured administrator password with a long, high-entropy value
- Audit router configuration, DNS settings, and connected client list for signs of unauthorized changes
Patch Information
No vendor patch is referenced in the published advisory at the time of NVD publication. Monitor the GitHub Security Advisory and Mercusys support channels for firmware updates addressing the TDDP rate-limiting gap.
Workarounds
- Disable remote management and any non-essential TDDP services if the firmware allows it
- Segment the router from untrusted devices and IoT endpoints using a separate SSID or VLAN
- Use long, unique administrator credentials to maximize the search space against brute-force attempts
- Consider replacing the device with a model that receives active security maintenance if no patch is released
# Example: isolate router management to a trusted admin subnet using iptables on an upstream gateway
iptables -A FORWARD -p udp --dport 1040 -s 192.168.10.0/24 -d 192.168.0.1 -j ACCEPT
iptables -A FORWARD -p udp --dport 1040 -d 192.168.0.1 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
