Exploit Database
144,703 exploits tracked across all sources.
Mercusys AC12G (EU) V1 - Unauthenticated Brute-Force Attack via TDDP Password Change Endpoint
Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 allows unauthenticated brute-force attacks via the TDDP password change endpoint (code=10), which lacks the rate limiting applied to the login endpoint (code=7). An attacker on the adjacent network can attempt unlimited passwords without triggering account lockout.
CVSS 8.8
Mercusys AC12G (EU) V1 Firmware AC12G(EU)_V1_200909 - Unauthenticated UPnP Port Forwarding to Admin Interface
Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 allows UPnP AddPortMapping to forward external ports to the router's own admin interface by accepting its own IP (192.168.1.1) or localhost (127.0.0.1) as InternalClient. An unauthenticated LAN attacker can expose the admin panel to the internet with a single SOAP request.
CVSS 8.8
Mercusys AC12G (EU) V1 - Unauthenticated Password Recovery via Static Nonce and Predictable XOR Encoding
Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 uses a static authentication nonce that does not change between requests from the same source IP. Combined with the predictable XOR-based password encoding (securityEncode function), this allows an attacker to reverse captured authentication tokens to recover the plaintext password.
CVSS 7.3
Mercusys AC12G (EU) V1 Firmware AC12G(EU)_V1_200909 - Unauthenticated DDNS Credential Exposure via Plaintext HTTP
Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 transmits DDNS credentials over plaintext HTTP with only Base64 encoding. The firmware contains no TLS implementation, allowing man-in-the-middle interception of DDNS service credentials.
CVSS 5.9
Mercusys AC12G (EU) V1 - Unauthenticated Information Disclosure via UPnP POST Request
Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 returns 128 bytes of uninitialized buffer when receiving POST requests without SOAPAction header on UPnP port 1900, exposing internal memory to unauthenticated adjacent network attackers.
CVSS 7.3
Mercusys AC12G (EU) V1 Firmware AC12G(EU)_V1_200909 - Weak WPS Lockout Policy
Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 enables WPS 2.0 by default with a weak lockout policy (60-second lockout after 10 attempts).
CVSS 6.4
Mercusys AC12G (EU) V1 Firmware AC12G(EU)_V1_200909 - Unauthenticated Information Exposure via Undefined HTTP POST Paths
Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 returns 128 bytes of uninitialized internal buffer contents when receiving HTTP POST requests to undefined paths, exposing server state to unauthenticated adjacent network attackers.
CVSS 4.3
Mercusys AC12G (EU) V1 Firmware AC12G(EU)_V1_200909 - Unauthenticated Information Disclosure via Undocumented Endpoint
Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 exposes an undocumented /agileconfigreset endpoint that returns internal buffer contents to unauthenticated attackers on the adjacent network.
CVSS 4.3
Mercusys AC12G (EU) V1 AC12G(EU)_V1_200909 - Hardcoded WiFi Driver Credentials Exposure
Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 contains hardcoded WiFi driver credentials including a RADIUS shared secret, WPS test key, and default PSK embedded in the production firmware binary.
CVSS 5.9
Mercusys AC12G (EU) V1 Firmware AC12G(EU)_V1_200909 - Information Disclosure via CHAOS TXT Query
Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 responds to version.bind CHAOS TXT queries, disclosing the DNS resolver software version (unbound 1.22.0), aiding targeted attacks against known vulnerabilities.
CVSS 4.3
FRRouting stable/10.0-10.6 - Denial of Service via Crafted BGP UPDATE Message
Missing input validation in the rfapiRibBi2Ri() function (rfapi_rib.c) of FRRouting (FRR) stable/10.0 to stable/10.6 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message.
CVSS 7.5
FRRouting stable/10.0-10.6 - Denial of Service via Crafted BGP UPDATE Message
Missing input validation in the rfapiRibBi2Ri() function (rfapi_rib.c) of FRRouting (FRR) stable/10.0 to stable/10.6 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message.
CVSS 7.5
FRRouting stable/10.0-10.6 - Denial of Service via Crafted BGP UPDATE Message
Missing input validation in the rfapiRibBi2Ri() function (rfapi_rib.c) of FRRouting (FRR) stable/10.0 to stable/10.6 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message.
CVSS 7.5
FRRouting < 10.5.3 Integer Overflow in OSPF TLV Parser Functions
FRRouting before 10.5.3 contains an integer overflow vulnerability in seven OSPF Traffic Engineering and Segment Routing TLV parser functions where a uint16_t accumulator variable truncates uint32_t values returned by the TLV_SIZE() macro, causing the loop termination condition to fail while pointer advancement continues unchecked. Attackers with an established OSPF adjacency can send a crafted LS Update packet with a malicious Type 10 or Type 11 Opaque LSA to trigger out-of-bounds memory reads and crash all affected routers in the OSPF area or autonomous system.
CVSS 6.5
FRRouting < 10.5.3 Integer Overflow in OSPF TLV Parser Functions
FRRouting before 10.5.3 contains an integer overflow vulnerability in seven OSPF Traffic Engineering and Segment Routing TLV parser functions where a uint16_t accumulator variable truncates uint32_t values returned by the TLV_SIZE() macro, causing the loop termination condition to fail while pointer advancement continues unchecked. Attackers with an established OSPF adjacency can send a crafted LS Update packet with a malicious Type 10 or Type 11 Opaque LSA to trigger out-of-bounds memory reads and crash all affected routers in the OSPF area or autonomous system.
CVSS 6.5
FRRouting FRR EVPN Type-2 Route bgp_evpn.c process_type2_route access control
A vulnerability has been found in FRRouting FRR up to 10.5.1. This affects the function process_type2_route of the file bgpd/bgp_evpn.c of the component EVPN Type-2 Route Handler. The manipulation leads to improper access controls. The attack can be initiated remotely. The attack is considered to have high complexity. The exploitability is reported as difficult. The identifier of the patch is 7676cad65114aa23adde583d91d9d29e2debd045. To fix this issue, it is recommended to deploy a patch.
CVSS 4.2
FRRouting FRR EVPN Type-2 Route bgp_evpn.c process_type2_route access control
A vulnerability has been found in FRRouting FRR up to 10.5.1. This affects the function process_type2_route of the file bgpd/bgp_evpn.c of the component EVPN Type-2 Route Handler. The manipulation leads to improper access controls. The attack can be initiated remotely. The attack is considered to have high complexity. The exploitability is reported as difficult. The identifier of the patch is 7676cad65114aa23adde583d91d9d29e2debd045. To fix this issue, it is recommended to deploy a patch.
CVSS 4.2
FRRouting 4.0-10.4.1 - Denial of Service via Crafted LSA Update Packet
FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_ext_pref_pref_sid function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted LSA Update packet.
CVSS 7.5
FRRouting 4.0-10.4.1 - Denial of Service via Crafted LSA Update Packet
FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_ext_pref_pref_sid function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted LSA Update packet.
CVSS 7.5
FRRouting 4.0-10.4.1 - Denial of Service via Crafted LSA Update Packet
FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_ext_pref_pref_sid function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted LSA Update packet.
CVSS 7.5
FRRouting 4.0-10.4.1 - Denial of Service via OSPF Packet Handling in ospf_ext.c
FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_ext_pref_pref_sid function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted OSPF packet.
CVSS 7.5
FRRouting 4.0-10.4.1 - Denial of Service via OSPF Packet Handling in ospf_ext.c
FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_ext_pref_pref_sid function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted OSPF packet.
CVSS 7.5
FRRouting 4.0-10.4.1 - Denial of Service via OSPF Packet Handling in ospf_ext.c
FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_ext_pref_pref_sid function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted OSPF packet.
CVSS 7.5
FRRouting 4.0-10.4.1 - Denial of Service via OSPF Packet Processing
FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_link_info function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted OSPF packet.
CVSS 7.5
FRRouting 4.0-10.4.1 - Denial of Service via OSPF Packet Processing
FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_link_info function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted OSPF packet.
CVSS 7.5
By Source