CVE-2026-36609 Overview
CVE-2026-36609 affects the Mercusys AC12G (EU) V1 router running firmware AC12G(EU)_V1_200909. The router uses a static authentication nonce that does not rotate between requests originating from the same source IP. The static nonce combines with a predictable XOR-based password encoding routine implemented in the securityEncode function. An attacker who captures an authentication token can reverse the encoding and recover the plaintext administrator password. The weakness maps to [CWE-327: Use of a Broken or Risky Cryptographic Algorithm].
Critical Impact
Network-adjacent attackers can capture authentication traffic and recover the router administrator password, granting full device control.
Affected Products
- Mercusys AC12G (EU) V1 router
- Firmware version AC12G(EU)_V1_200909
- Devices exposing the web management interface to untrusted networks
Discovery Timeline
- 2026-06-03 - CVE-2026-36609 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-36609
Vulnerability Analysis
The Mercusys AC12G web interface authenticates administrators by encoding the password client-side and submitting an authentication token. The encoding routine, named securityEncode, applies a XOR transformation against a nonce returned by the server. In a secure implementation, the nonce would be unique per session or per request. The AC12G firmware instead returns the same nonce for every request that arrives from a given source IP address. The encoding function uses XOR with a predictable key schedule, which is a reversible operation rather than a cryptographic hash.
An attacker positioned on the same network segment can capture an authenticated request, observe the static nonce, and reverse the XOR operation to recover the password in cleartext. The attacker can then authenticate to the device and modify routing, DNS, firewall, or firmware configuration.
Root Cause
The root cause is the combination of two design flaws. First, the authentication nonce is not session-bound or single-use. Second, the securityEncode function uses a reversible XOR encoding instead of a one-way function such as HMAC-SHA256. Together these flaws turn the authentication token into a recoverable representation of the password.
Attack Vector
The attack vector is network-based and requires no prior authentication or user interaction. An attacker on the local network can passively capture a login request, or actively trigger authentication, then perform offline reversal of the captured token. The vulnerability does not require physical access or credentials.
No verified public exploit code is available. Technical details are documented in the GitHub Advisory for CVE-2026-36609.
Detection Methods for CVE-2026-36609
Indicators of Compromise
- Unexpected administrator logins to the router web interface from internal IP addresses
- Configuration changes to DNS, DHCP, or firewall rules that were not made by an administrator
- Firmware version AC12G(EU)_V1_200909 running on Mercusys AC12G (EU) V1 hardware
Detection Strategies
- Inspect router logs for repeated authentication requests from a single source IP, which may indicate token capture activity
- Monitor the LAN for unauthorized ARP spoofing or traffic capture tools that could intercept management traffic
- Compare current router configuration against a known-good baseline to detect tampering
Monitoring Recommendations
- Forward router syslog events to a centralized log platform and alert on administrative login events
- Track outbound DNS queries from clients to detect rogue DNS configurations set by an attacker who has authenticated to the router
- Audit management interface access on a recurring schedule and verify only authorized source IPs reach the admin portal
How to Mitigate CVE-2026-36609
Immediate Actions Required
- Restrict access to the router management interface to a dedicated administrative VLAN or specific trusted hosts
- Disable remote (WAN-side) management on the device until a fixed firmware is available
- Change the administrator password and rotate any credentials reused elsewhere
- Treat the local network as a sensitive segment and limit who can plug into wired ports or join Wi-Fi
Patch Information
No vendor patch is referenced in the available advisory data. Monitor the GitHub Advisory for CVE-2026-36609 and the Mercusys support site for firmware updates that replace the securityEncode routine with a non-reversible authentication scheme.
Workarounds
- Place the router behind an additional managed firewall and block management ports from untrusted segments
- Use Ethernet rather than open Wi-Fi when performing administrative tasks to reduce passive capture risk
- Replace the affected device with a model that uses TLS-protected administration and session-bound nonces if no firmware update becomes available
# Configuration example: restrict management interface to a single admin host
# Apply on an upstream firewall protecting the router LAN
iptables -A FORWARD -s 192.0.2.10 -d 192.168.1.1 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -d 192.168.1.1 -p tcp --dport 80 -j DROP
iptables -A FORWARD -d 192.168.1.1 -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
