HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-36609Published Modified CNA mitre

CVE-2026-36609: Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 uses a static authentication nonce that does not change between requests from the same source IP

Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 uses a static authentication nonce that does not change between requests from the same source IP. Combined with the predictable XOR-based password encoding (securityEncode function), this allows an attacker to reverse captured authentication tokens to recover the plaintext password.

Metrics

CVSS v3.1
7.3
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An authentication-bypass vulnerability affects the Mercusys AC12G (EU) V1 router running firmware AC12G(EU)_V1_200909. The router issues a static authentication nonce that never rotates between requests from the same source IP, and its password encoding relies on a predictable XOR-based function (securityEncode). A remote, unauthenticated attacker who can capture authentication traffic can reverse-engineer the encoded token to recover the plaintext admin password. No fix version has been published; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-36609 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle or derive from affected firmware components.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 7.3 (HIGH) and weighting it against each environment's compliance policy to determine urgency. Triage routing is available to direct findings to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

Because no upstream fix version has been published for CVE-2026-36609, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the vendor publishes a corrected firmware or package. In the interim, compensating-control guidance is surfaced in the finding detail for customers who opt into advisory monitoring.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the router's web interface over the network; the vulnerability is exposed to anyone who can send HTTP requests to the affected device.

  • AuthenticationNot required

    No credentials are needed; the attacker captures unauthenticated authentication traffic and decodes it without logging in.

  • Victim interactionNot required

    No victim action is required; the attacker passively captures a login exchange or replays requests without any user involvement.

  • Attack complexityDetail

    Attack complexity is low; the XOR decoding and static nonce extraction are deterministic operations with no race conditions or environmental prerequisites.

Blast Radius

  • Attacker recovers the plaintext administrator password for the router, gaining full administrative access to the device.
  • With admin access, the attacker can read network configuration, connected-client lists, DNS settings, and any credentials stored in the router interface.
  • The attacker can modify routing rules, DNS entries, or firewall settings, redirecting or intercepting traffic for all clients on the network.
  • The attacker can reboot the router, change the admin password to lock out legitimate users, or flash alternative firmware, disrupting network availability.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-36609 is active across all connected environments and will match any image or artifact that includes components tied to the affected Mercusys firmware. Because no upstream fix exists at this time, HarborGuard monitors the advisory on every ingest cycle and will automatically surface a patched-image rebuild option the moment the vendor publishes a corrected version. While no patch is available, HarborGuard surfaces compensating-control recommendations in the finding detail, including network-policy isolation to restrict access to the router management interface, egress filtering to limit exposure of the affected port, and flagging the finding for manual review under any compliance policy that requires active mitigation of HIGH-severity issues. For customers with auto-remediation enabled, the rebuild-and-PR flow will trigger automatically once a fix version is published.

See how HarborGuard automates this
Affected packages
  • n/a / n/a
    n/a
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
References