Tymbark7372

15 exploits Active since Jun 2026
CVE-2026-36602 WRITEUP MEDIUM WRITEUP
Mercusys AC12G (EU) V1 - Unauthenticated Kernel Memory Layout Disclosure via UPnP GetStatusInfo Action
Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 discloses kernel memory layout via the UPnP GetStatusInfo action. An unauthenticated attacker on the adjacent network can obtain a raw MIPS KSEG0 kernel pointer, revealing kernel memory layout and aiding further exploitation.
CVSS 4.3
CVE-2026-36603 WRITEUP HIGH WRITEUP
Mercusys AC12G (EU) V1 - Unauthenticated UPnP Port Forwarding Manipulation
Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 exposes 15 of 18 UPnP IGD actions without authentication on port 1900, including AddPortMapping and GetExternalIPAddress. UPnP is enabled by default through the admin interface, allowing any unauthenticated LAN device to create arbitrary port forwarding rules and access WAN traffic statistics.
CVSS 8.1
CVE-2026-36604 WRITEUP MEDIUM WRITEUP
Mercusys AC12G (EU) V1 AC12G(EU)_V1_200909 - DNS Rebinding via HTTP Host Header
Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 does not validate the HTTP Host header, enabling DNS rebinding attacks. An external attacker can rebind a domain to the router's internal IP address, extending the CORS wildcard vulnerability (Access-Control-Allow-Origin: *) to internet-originated attacks.
CVSS 6.5
CVE-2026-36605 WRITEUP MEDIUM WRITEUP
Mercusys AC12G (EU) V1 Firmware AC12G(EU)_V1_200909 - Denial of Service via Crafted Incomplete HTTP Requests
Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 is vulnerable to a HTTP denial of service via a low number of crafted incomplete HTTP requests, causing a persistent crash that requires physical power cycling to recover.
CVSS 6.5
CVE-2026-36606 WRITEUP HIGH WRITEUP
Mercusys AC12G (EU) V1 - Hardcoded DES Key Credential Exposure via Configuration Backup
Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 encrypts configuration backups with a hardcoded DES key using single DES in ECB mode. An attacker who obtains a backup file can decrypt it to recover all stored credentials including admin password, WiFi PSK, and DDNS credentials.
CVSS 7.1
CVE-2026-36607 WRITEUP HIGH WRITEUP
Mercusys AC12G (EU) V1 - Unauthenticated Brute-Force Attack via TDDP Password Change Endpoint
Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 allows unauthenticated brute-force attacks via the TDDP password change endpoint (code=10), which lacks the rate limiting applied to the login endpoint (code=7). An attacker on the adjacent network can attempt unlimited passwords without triggering account lockout.
CVSS 8.8
CVE-2026-36608 WRITEUP HIGH WRITEUP
Mercusys AC12G (EU) V1 Firmware AC12G(EU)_V1_200909 - Unauthenticated UPnP Port Forwarding to Admin Interface
Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 allows UPnP AddPortMapping to forward external ports to the router's own admin interface by accepting its own IP (192.168.1.1) or localhost (127.0.0.1) as InternalClient. An unauthenticated LAN attacker can expose the admin panel to the internet with a single SOAP request.
CVSS 8.8
CVE-2026-36609 WRITEUP HIGH WRITEUP
Mercusys AC12G (EU) V1 - Unauthenticated Password Recovery via Static Nonce and Predictable XOR Encoding
Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 uses a static authentication nonce that does not change between requests from the same source IP. Combined with the predictable XOR-based password encoding (securityEncode function), this allows an attacker to reverse captured authentication tokens to recover the plaintext password.
CVSS 7.3
CVE-2026-36610 WRITEUP MEDIUM WRITEUP
Mercusys AC12G (EU) V1 Firmware AC12G(EU)_V1_200909 - Unauthenticated DDNS Credential Exposure via Plaintext HTTP
Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 transmits DDNS credentials over plaintext HTTP with only Base64 encoding. The firmware contains no TLS implementation, allowing man-in-the-middle interception of DDNS service credentials.
CVSS 5.9
CVE-2026-36611 WRITEUP HIGH WRITEUP
Mercusys AC12G (EU) V1 - Unauthenticated Information Disclosure via UPnP POST Request
Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 returns 128 bytes of uninitialized buffer when receiving POST requests without SOAPAction header on UPnP port 1900, exposing internal memory to unauthenticated adjacent network attackers.
CVSS 7.3
CVE-2026-36612 WRITEUP MEDIUM WRITEUP
Mercusys AC12G (EU) V1 Firmware AC12G(EU)_V1_200909 - Weak WPS Lockout Policy
Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 enables WPS 2.0 by default with a weak lockout policy (60-second lockout after 10 attempts).
CVSS 6.4
CVE-2026-36613 WRITEUP MEDIUM WRITEUP
Mercusys AC12G (EU) V1 Firmware AC12G(EU)_V1_200909 - Unauthenticated Information Exposure via Undefined HTTP POST Paths
Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 returns 128 bytes of uninitialized internal buffer contents when receiving HTTP POST requests to undefined paths, exposing server state to unauthenticated adjacent network attackers.
CVSS 4.3
CVE-2026-36615 WRITEUP MEDIUM WRITEUP
Mercusys AC12G (EU) V1 Firmware AC12G(EU)_V1_200909 - Unauthenticated Information Disclosure via Undocumented Endpoint
Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 exposes an undocumented /agileconfigreset endpoint that returns internal buffer contents to unauthenticated attackers on the adjacent network.
CVSS 4.3
CVE-2026-36616 WRITEUP MEDIUM WRITEUP
Mercusys AC12G (EU) V1 AC12G(EU)_V1_200909 - Hardcoded WiFi Driver Credentials Exposure
Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 contains hardcoded WiFi driver credentials including a RADIUS shared secret, WPS test key, and default PSK embedded in the production firmware binary.
CVSS 5.9
CVE-2026-36618 WRITEUP MEDIUM WRITEUP
Mercusys AC12G (EU) V1 Firmware AC12G(EU)_V1_200909 - Information Disclosure via CHAOS TXT Query
Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 responds to version.bind CHAOS TXT queries, disclosing the DNS resolver software version (unbound 1.22.0), aiding targeted attacks against known vulnerabilities.
CVSS 4.3