CVE-2026-36610 Overview
CVE-2026-36610 affects the Mercusys AC12G (EU) V1 router running firmware AC12G(EU)_V1_200909. The device transmits Dynamic DNS (DDNS) credentials over plaintext HTTP, applying only Base64 encoding to the request body. The firmware ships without any Transport Layer Security (TLS) implementation for these outbound calls. An attacker positioned on the network path can intercept and decode the credentials in transit. The flaw maps to CWE-319: Cleartext Transmission of Sensitive Information.
Critical Impact
Network-adjacent attackers performing man-in-the-middle (MITM) interception can capture valid DDNS service credentials and reuse them to hijack the victim's dynamic DNS records.
Affected Products
- Mercusys AC12G (EU) V1
- Firmware version AC12G(EU)_V1_200909
- DDNS client component of the router firmware
Discovery Timeline
- 2026-06-03 - CVE-2026-36610 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-36610
Vulnerability Analysis
The Mercusys AC12G (EU) V1 router includes a DDNS client used to update third-party dynamic DNS providers with the device's current public IP address. When the router authenticates to the DDNS provider, it constructs an HTTP request that carries the username and password in the body or headers. The firmware applies Base64 encoding to those credentials but does not encrypt the transport channel.
Base64 is an encoding scheme, not a cryptographic primitive. Any party that captures the HTTP traffic can decode the value back to plaintext with no key material. Because the firmware does not implement HTTPS for this flow, the credentials traverse every intermediate hop in cleartext.
Root Cause
The root cause is the absence of TLS in the firmware's DDNS update routine. The device relies on HTTP rather than HTTPS, and treats Base64 encoding as if it were a confidentiality control. This is a design-level failure to apply the principle of secure-by-default transport for sensitive authentication material.
Attack Vector
An attacker must observe network traffic between the router and the DDNS provider. Suitable positions include a compromised upstream router, an Internet Service Provider (ISP) tap, a rogue Wi-Fi gateway, or an Address Resolution Protocol (ARP) spoofing foothold on the local network segment. Once positioned, the attacker captures the HTTP request, extracts the Base64 string, and decodes it to recover the DDNS account username and password. The high attack complexity reflects the prerequisite of MITM positioning.
No verified proof-of-concept code is published. See the GitHub Advisory CVE-2026-36610 for the original research notes.
Detection Methods for CVE-2026-36610
Indicators of Compromise
- Outbound HTTP requests from the router's WAN interface to DDNS provider endpoints on TCP port 80 instead of TCP port 443.
- HTTP Authorization: Basic headers or request bodies containing Base64-encoded strings sent in cleartext.
- Unexpected changes to DDNS A or AAAA records associated with the affected account.
Detection Strategies
- Inspect router egress traffic with a network sensor and flag any plaintext HTTP requests to known DDNS provider hostnames such as dyndns.org, no-ip.com, or freedns.afraid.org.
- Decode captured Base64 tokens during traffic review and correlate with known DDNS account identifiers to confirm exposure.
- Audit DDNS provider login history for authentications from IP addresses that do not match the router's expected public IP.
Monitoring Recommendations
- Forward perimeter and router telemetry to a Security Information and Event Management (SIEM) platform and alert on HTTP traffic targeting DDNS update URLs.
- Monitor DDNS provider account activity for record modifications outside normal update intervals.
- Track firmware versions across deployed Mercusys devices and flag any unit reporting AC12G(EU)_V1_200909.
How to Mitigate CVE-2026-36610
Immediate Actions Required
- Rotate the DDNS provider credentials configured on any affected Mercusys AC12G (EU) V1 device.
- Disable the built-in DDNS client on the router until a firmware update that enforces TLS is available.
- Restrict the router's outbound HTTP traffic at the upstream gateway and force DDNS updates through a host that supports HTTPS.
Patch Information
No vendor patch is referenced in the available advisory data. Consult the GitHub Advisory CVE-2026-36610 and the Mercusys support site for firmware updates addressing the cleartext transmission issue.
Workarounds
- Replace the router's DDNS function with an external DDNS update client that runs on a trusted host and uses HTTPS.
- Place the router behind a VPN or encrypted tunnel so the plaintext DDNS update is not exposed to untrusted network segments.
- Enable multi-factor authentication on the DDNS provider account where supported to reduce the value of intercepted credentials.
# Example: block plaintext HTTP egress from the router on an upstream Linux gateway
iptables -I FORWARD -s <router_lan_ip> -p tcp --dport 80 -j REJECT
iptables -I FORWARD -s <router_lan_ip> -p tcp --dport 443 -j ACCEPT
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
