CVE-2026-36612 Overview
CVE-2026-36612 affects the Mercusys AC12G (EU) V1 wireless router running firmware AC12G(EU)_V1_200909. The device enables Wi-Fi Protected Setup (WPS) 2.0 by default and applies a weak lockout policy of only 60 seconds after 10 failed PIN attempts. This configuration allows attackers within wireless range to brute-force the 8-digit WPS PIN over time and recover the WPA/WPA2 pre-shared key. The flaw is a configuration and design weakness rather than a code-level memory error, classified under Insecure Default Configuration.
Critical Impact
An attacker in wireless range can brute-force the WPS PIN and recover the Wi-Fi pre-shared key, gaining full network access.
Affected Products
- Mercusys AC12G (EU) V1
- Firmware version AC12G(EU)_V1_200909
- Devices with WPS 2.0 enabled in default configuration
Discovery Timeline
- 2026-06-03 - CVE-2026-36612 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-36612
Vulnerability Analysis
The Mercusys AC12G (EU) V1 ships with WPS 2.0 enabled out of the box. WPS authenticates clients using an 8-digit PIN, but the protocol design splits the PIN into two halves that are validated independently. This reduces the effective search space from 10^8 to roughly 11,000 combinations. To mitigate online PIN guessing, WPS 2.0 requires registrar lockout after repeated failures. The Mercusys implementation locks the registrar for only 60 seconds after 10 attempts, then resumes accepting PIN guesses.
An attacker within radio range can iterate through the PIN space at a sustained rate. With a 60-second cooldown per 10 attempts, the full PIN space can be exhausted within a practical timeframe. Recovery of the PIN yields the device's WPA/WPA2 pre-shared key, regardless of its length or complexity.
Root Cause
The root cause is an insecure default configuration combined with an insufficient brute-force lockout policy. A secure implementation should disable WPS by default or enforce exponential backoff, permanent lockout after a threshold, or administrative re-enablement. The 60-second window does not deter automated PIN enumeration.
Attack Vector
The attack requires wireless proximity to the target access point. An attacker uses a WPS brute-force tool to send M1 EAPOL-Start frames and iterate registrar PIN guesses. After each lockout of 60 seconds, the attacker resumes from the last attempted PIN. Once the correct PIN is identified, the access point returns the WPA/WPA2 passphrase, giving the attacker full layer-2 access to the wireless network.
No exploitation code is published with the advisory. Refer to the GitHub Security Advisory for the original disclosure details.
Detection Methods for CVE-2026-36612
Indicators of Compromise
- Repeated EAPOL M1/M2 exchanges from a single client MAC against the access point
- Unfamiliar client MAC addresses associating after a successful WPS exchange
- Bursts of WPS registrar requests separated by approximately 60-second gaps
- New devices on the LAN that were not provisioned by the administrator
Detection Strategies
- Inspect the router's wireless event log for repeated WPS PIN failures and lockout events
- Capture 802.11 management frames near the access point and look for sustained WPS Registrar activity from one MAC
- Correlate DHCP lease logs with the wireless association table to spot rogue clients
- Where supported, export router syslog to a central collector and alert on repeating WPS_FAIL patterns
Monitoring Recommendations
- Forward router and wireless syslog to a central log platform and retain at least 30 days of history
- Maintain an inventory of authorized client MAC addresses and alert on first-seen devices
- Periodically audit the router's WPS configuration to confirm it remains disabled
- Monitor for downstream signs of compromise such as unexpected outbound traffic from the SOHO network
How to Mitigate CVE-2026-36612
Immediate Actions Required
- Disable WPS in the Mercusys AC12G web administration interface and save the configuration
- Rotate the WPA2 pre-shared key to a long, random value of at least 20 characters
- Review the connected device list and remove any unrecognized clients
- Check the Mercusys support site for a firmware update that supersedes AC12G(EU)_V1_200909
Patch Information
No vendor patch is referenced in the published advisory. Administrators should monitor the Mercusys support portal for firmware updates that disable WPS by default or strengthen the lockout policy. Until a fix is published, the only reliable mitigation is to disable WPS on the device. See the GitHub Security Advisory for advisory details.
Workarounds
- Disable WPS entirely through the router's web UI under Wireless settings
- Replace the device with hardware that does not enable WPS by default if disabling is not persistent
- Segment the SOHO network from sensitive systems using VLANs or a separate uplink
- Reduce wireless transmit power to limit the radio footprint exposed to attackers
# Verify WPS is disabled after applying the workaround
# From a Linux host with wpa_supplicant tools:
sudo iw dev wlan0 scan | grep -A 5 "<TARGET_SSID>" | grep -i "WPS"
# No WPS information element should be returned for the target SSID
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
