How is CVE-2026-36607 exploited?

Network reachability (info): The attacker must be on the same adjacent network, LAN segment, or connected via VPN; remote internet-based exploitation is not possible with this vector (AV:A). Authentication (not-required): No credentials are needed to target the TDDP password-change endpoint; the attack proceeds entirely unauthenticated (PR:N). Victim interaction (not-required): The attack is fully automated and requires no action from any user or administrator on the targeted device (UI:N). Attack complexity (info): Exploitation is reliable and condition-free once the attacker is on the adjacent network; no race conditions or special environmental factors apply (AC:L).

What is the impact of CVE-2026-36607?

Reads the device administrator password by brute-forcing the TDDP endpoint, gaining full credential access. Modifies router configuration including DNS settings, firewall rules, and port forwarding, allowing traffic interception or redirection. Crashes or reboots the router by applying hostile configuration changes, disrupting network connectivity for all devices on the segment. Takes persistent administrative control of the router, enabling ongoing surveillance of unencrypted traffic traversing the device.

Back to search

HIGHCVE-2026-36607Published 2026-06-03Modified 2026-06-03CNA mitre

CVE-2026-36607: Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 allows unauthenticated brute-force attacks via the TDDP password change endpoint (code=10), which lacks the rate limiting applied to the login endpoint (code=7)

Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 allows unauthenticated brute-force attacks via the TDDP password change endpoint (code=10), which lacks the rate limiting applied to the login endpoint (code=7). An attacker on the adjacent network can attempt unlimited passwords without triggering account lockout.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a missing rate-limit vulnerability in the Mercusys AC12G (EU) V1 router running firmware AC12G(EU)_V1_200909. The TDDP password-change endpoint (code=10) accepts unlimited unauthenticated password attempts over the local network or LAN segment, bypassing the lockout protection that guards the normal login endpoint (code=7). A successful brute-force attack gives the attacker full control over the router, including the ability to read, modify, or disrupt all traffic passing through it. No fix version has been published; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection for CVE-2026-36607 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle or depend on affected Mercusys firmware components.

Available

Triage

HarborGuard scores this vulnerability at 8.8 HIGH using the CVSS v3.1 vector and weights it further against each customer organization's per-environment compliance policy, then routes the finding to the appropriate team inbox within that organization.

Available

Patch

Because no upstream fix version has been published for CVE-2026-36607, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Mercusys ships a corrected firmware release. In the meantime, customers can apply compensating-control guidance directly from the finding card.

Pending upstream

Exploit Conditions

Network reachabilityDetail
The attacker must be on the same adjacent network, LAN segment, or connected via VPN; remote internet-based exploitation is not possible with this vector (AV:A).
AuthenticationNot required
No credentials are needed to target the TDDP password-change endpoint; the attack proceeds entirely unauthenticated (PR:N).
Victim interactionNot required
The attack is fully automated and requires no action from any user or administrator on the targeted device (UI:N).
Attack complexityDetail
Exploitation is reliable and condition-free once the attacker is on the adjacent network; no race conditions or special environmental factors apply (AC:L).

Blast Radius

Reads the device administrator password by brute-forcing the TDDP endpoint, gaining full credential access.
Modifies router configuration including DNS settings, firewall rules, and port forwarding, allowing traffic interception or redirection.
Crashes or reboots the router by applying hostile configuration changes, disrupting network connectivity for all devices on the segment.
Takes persistent administrative control of the router, enabling ongoing surveillance of unencrypted traffic traversing the device.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-36607 is tracked continuously with no upstream fix currently available. HarborGuard re-checks the advisory on every ingest cycle and will surface a patched-image rebuild automatically the moment Mercusys publishes a corrected firmware release. While no patch exists, customers are encouraged to apply compensating controls including network-policy rules that restrict access to the TDDP service port to trusted management hosts only, VLAN segmentation to isolate the affected router from general user traffic, and egress filtering to prevent lateral movement if the device is compromised. For environments with auto-remediation enabled, HarborGuard will open a rebuild PR and trigger a regression-test run against affected workloads as soon as a fix version is confirmed upstream.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

github.com

Metrics

Get notified