Tymbark7372

**Name of the Vulnerable Software and Affected Versions** Mercusys AC12G (EU) V1 version AC12G(EU) V1 200909 **Description** The UPnP GetStatusInfo action discloses kernel memory layout. An unauthenticated attacker on the adjacent network can obtain a raw MIPS KSEG0 kernel pointer, which reveals the kernel memory layout and facilitates further exploitation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mercusys AC12G (EU) V1 version AC12G(EU) V1 200909 **Description** The device exposes 15 of 18 UPnP IGD actions without authentication on port 1900, including `AddPortMapping` and `GetExternalIPAddress`. Universal Plug and Play (UPnP), a protocol that allows devices to discover each other and establish communication services on a network, is enabled by default. This allows any unauthenticated device on the local area network (LAN) to create arbitrary port forwarding rules and access WAN traffic statistics. **Recommendations** Disable UPnP through the admin interface for version AC12G(EU) V1 200909.

**Name of the Vulnerable Software and Affected Versions** Mercusys AC12G (EU) V1 version AC12G(EU) V1 200909 **Description** The device fails to validate the HTTP Host header, which allows for DNS rebinding attacks. This occurs when an attacker rebinds a domain to the internal IP address of the router, leveraging a CORS wildcard vulnerability where the `Access-Control-Allow-Origin` header is set to `*`. This combination enables attacks originating from the internet to bypass security restrictions. CORS (Cross-Origin Resource Sharing) is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Mercusys AC12G (EU) V1 router with firmware AC12G(EU) V1 200909 is vulnerable to a HTTP denial of service via a low number of crafted incomplete HTTP requests, causing a persistent crash that requires physical power cycling to recover.

Mercusys AC12G (EU) V1 router with firmware AC12G(EU) V1 200909 encrypts configuration backups with a hardcoded DES key using single DES in ECB mode. An attacker who obtains a backup file can decrypt it to recover all stored credentials including admin password, WiFi PSK, and DDNS credentials.

Mercusys AC12G (EU) V1 router with firmware AC12G(EU) V1 200909 allows unauthenticated brute-force attacks via the TDDP password change endpoint (code=10), which lacks the rate limiting applied to the login endpoint (code=7). An attacker on the adjacent network can attempt unlimited passwords without triggering account lockout.

Mercusys AC12G (EU) V1 router with firmware AC12G(EU) V1 200909 allows UPnP AddPortMapping to forward external ports to the router's own admin interface by accepting its own IP (192.168.1.1) or localhost (127.0.0.1) as InternalClient. An unauthenticated LAN attacker can expose the admin panel to the internet with a single SOAP request.

**Name of the Vulnerable Software and Affected Versions** Mercusys AC12G (EU) V1 firmware AC12G(EU) V1 200909 **Description** The device uses a static authentication nonce that remains unchanged between requests originating from the same source IP. This issue, combined with a predictable XOR-based password encoding implemented in the `securityEncode()` function, enables an attacker to reverse captured authentication tokens to recover the plaintext password. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mercusys AC12G (EU) V1 version AC12G(EU) V1 200909 **Description** The device transmits DDNS credentials over plaintext HTTP using only Base64 encoding. Because the firmware lacks a TLS (Transport Layer Security) implementation—a protocol designed to provide communications security over a computer network—an attacker can perform a man-in-the-middle interception to steal DDNS service credentials. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mercusys AC12G (EU) V1 version AC12G(EU) V1 200909 **Description** An issue exists where the device returns 128 bytes of uninitialized buffer when receiving POST requests that lack a `SOAPAction` header on the UPnP port 1900. This allows unauthenticated adjacent network attackers to expose internal memory. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Mercusys AC12G (EU) V1 with firmware AC12G(EU) V1 200909 enables WPS 2.0 by default with a weak lockout policy (60-second lockout after 10 attempts).

Mercusys AC12G (EU) V1 with firmware AC12G(EU) V1 200909 returns 128 bytes of uninitialized internal buffer contents when receiving HTTP POST requests to undefined paths, exposing server state to unauthenticated adjacent network attackers.

Mercusys AC12G (EU) V1 with firmware AC12G(EU) V1 200909 exposes an undocumented /agileconfigreset endpoint that returns internal buffer contents to unauthenticated attackers on the adjacent network.

Mercusys AC12G (EU) V1 with firmware AC12G(EU) V1 200909 contains hardcoded WiFi driver credentials including a RADIUS shared secret, WPS test key, and default PSK embedded in the production firmware binary.

**Name of the Vulnerable Software and Affected Versions** Mercusys AC12G (EU) V1 version AC12G(EU) V1 200909 **Description** The device responds to `version.bind` CHAOS TXT queries, which results in the disclosure of the DNS resolver software version (`unbound 1.22.0`). This information can be used to facilitate targeted attacks by identifying known weaknesses in the specific software version. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.