CVE-2026-36615: Mercusys AC12G Information Disclosure Bug

CVE-2026-36615 Overview

CVE-2026-36615 is an information disclosure vulnerability in the Mercusys AC12G (EU) V1 wireless router running firmware AC12G(EU)_V1_200909. The device exposes an undocumented /agileconfigreset endpoint that returns internal buffer contents to unauthenticated requests. An attacker on the adjacent network can query this endpoint without credentials and receive memory data that was not intended to leave the device. The issue maps to [CWE-200] Exposure of Sensitive Information to an Unauthorized Actor.

Critical Impact

Unauthenticated adjacent-network attackers can retrieve internal buffer contents from the router, potentially exposing configuration data or transient memory artifacts useful for follow-on attacks.

Affected Products

• Mercusys AC12G (EU) V1
• Firmware version AC12G(EU)_V1_200909
• The undocumented /agileconfigreset HTTP endpoint on the device web interface

Discovery Timeline

• 2026-06-03 - CVE-2026-36615 published to NVD
• 2026-06-03 - Last updated in NVD database

Technical Details for CVE-2026-36615

Vulnerability Analysis

The Mercusys AC12G (EU) V1 router ships with an undocumented HTTP endpoint at /agileconfigreset. When this endpoint receives a request, it returns the contents of an internal buffer in the response body. The endpoint does not require authentication, and it does not validate the requester's role or session state. The attack vector is limited to the adjacent network, meaning the attacker must be associated with the wireless LAN or connected to the local Ethernet segment, but no credentials or user interaction are needed.

The vulnerability is classified as Exposure of Sensitive Information to an Unauthorized Actor [CWE-200]. The confidentiality impact is partial; integrity and availability are not affected. The returned buffer may contain residual configuration data, request artifacts, or other in-memory content depending on device state at the time of the request.

Root Cause

The root cause is a hidden management endpoint that was left active in the production firmware without access control or output sanitization. The handler for /agileconfigreset reads from an internal memory buffer and writes its contents directly into the HTTP response. There is no authentication middleware in front of the route, and there is no zeroing of the buffer before it is returned to the client.

Attack Vector

An attacker associated with the local network sends an HTTP request to the router's web management interface targeting /agileconfigreset. The router responds with buffer contents that may include sensitive runtime data. No exploit chain or specialized tooling is required beyond a standard HTTP client. Refer to the GitHub Security Advisory for the technical writeup and request details.

Detection Methods for CVE-2026-36615

Indicators of Compromise

• HTTP GET or POST requests to the path /agileconfigreset on the router management interface from clients on the LAN or wireless segment.
• Unusual HTTP responses from the router containing non-ASCII or structured binary content not associated with normal admin pages.
• Repeated probing of undocumented administrative paths from a single LAN host.

Detection Strategies

• Inspect router access logs and any upstream network sensor logs for requests to /agileconfigreset or other non-standard router paths.
• Deploy a network IDS rule that matches HTTP request URIs containing agileconfigreset directed at router management addresses.
• Baseline expected administrative traffic to the router and alert on requests originating from non-administrator hosts.

Monitoring Recommendations

• Monitor wireless and LAN segments for unauthenticated HTTP traffic targeting the router management interface.
• Track response sizes from the router; anomalously large responses to short URIs may indicate buffer leakage.
• Correlate router access attempts with endpoint telemetry from connected clients to identify the source host.

How to Mitigate CVE-2026-36615

Immediate Actions Required

• Restrict access to the router management interface to a dedicated management VLAN or trusted host list.
• Disable remote management features and ensure the web interface is not reachable from the WAN.
• Audit firmware version on all deployed Mercusys AC12G (EU) V1 devices and identify those running AC12G(EU)_V1_200909.
• Monitor for vendor firmware updates that address the undocumented endpoint.

Patch Information

No vendor advisory or patched firmware version is listed in the NVD entry at the time of publication. Consult the GitHub Security Advisory and the Mercusys support portal for updates. Apply any firmware revision newer than AC12G(EU)_V1_200909 once the vendor confirms it removes or authenticates the /agileconfigreset endpoint.

Workarounds

• Block external and untrusted-internal access to the router's HTTP management interface using upstream network ACLs.
• Segment IoT and guest wireless networks so that untrusted clients cannot reach the router management IP.
• Where possible, replace affected devices with hardware that receives active security maintenance from the vendor.

# Example: restrict router admin interface access to a single management host
# Run on an upstream firewall in front of the router management VLAN
iptables -A FORWARD -p tcp -d <router-mgmt-ip> --dport 80 -s <admin-host-ip> -j ACCEPT
iptables -A FORWARD -p tcp -d <router-mgmt-ip> --dport 80 -j DROP