CVE-2026-36606: Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 encrypts configuration backups with a hardcoded DES key using single DES in ECB mode
Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 encrypts configuration backups with a hardcoded DES key using single DES in ECB mode. An attacker who obtains a backup file can decrypt it to recover all stored credentials including admin password, WiFi PSK, and DDNS credentials.
Metrics
- CVSS v3.1
- 7.1
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A cryptographic weakness in the Mercusys AC12G (EU) V1 router (firmware AC12G(EU)_V1_200909) allows configuration backup files to be trivially decrypted. The firmware encrypts backups using a hardcoded DES key in ECB mode, both of which are well-known weak choices, and exploitation requires only local access with a low-privilege account rather than network exposure. A successful attacker who obtains a backup file recovers all stored credentials, including the admin password, WiFi pre-shared key, and DDNS credentials. No upstream fix has been published; HarborGuard tracks the advisory for patch availability.
HarborGuard Coverage
Detection of CVE-2026-36606 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI pipelines, including internally built images that embed or bundle this firmware version or derived artifacts.
AvailableHarborGuard scores this CVE at 7.1 HIGH using the published CVSS v3.1 vector and weights findings against each environment's compliance policy, routing alerts to the appropriate team inbox within the customer org automatically.
AvailableBecause no fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the meantime, compensating-control guidance is surfaced in the finding detail for affected environments.
Pending upstreamExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no over-the-network access to the router's network interface is required to exploit this weakness.
- AuthenticationRequired
A low-privilege account on the device or host is sufficient; no administrator rights are needed to obtain a backup file.
- Victim interactionNot required
No user interaction is required; the attacker can act entirely on their own once they have a session.
- Attack complexityDetail
The exploit is reliable and condition-free: the DES key is hardcoded and the ECB mode cipher requires no knowledge of environmental state to apply.
Blast Radius
- Attacker decrypts the configuration backup and reads the router admin password in plaintext.
- Attacker recovers the WiFi pre-shared key, enabling unauthorized network access.
- Attacker obtains stored DDNS credentials, which may be reused across other services.
- Confidentiality and integrity of all credentials stored in the backup are fully compromised; no availability impact is introduced by this attack alone.
How HarborGuard Handles This
Available on HarborGuard: this CVE is monitored continuously against customer image inventories, with no fix version currently published upstream. For environments where images embed this firmware or derived configuration tooling, HarborGuard surfaces the finding with CVSS 7.1 HIGH scoring and routes it per each org's compliance policy. Compensating controls to consider while awaiting an upstream patch include restricting filesystem access to backup file paths via network-policy or container seccomp profiles, disabling automated backup export features where possible, and rotating any credentials currently stored in existing backup files. HarborGuard will automatically make a patched-image rebuild available and, for customers with auto-remediation enabled, open a PR against affected workloads the moment Mercusys publishes a fix.
- n/a / n/an/a
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N