CVE-2026-36607

Published: Giu 03, 2026 Last Modified: Giu 03, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 8,8

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Attack Vector: adjacent_network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Scope: unchanged

Confidentiality: high

Integrity: high

Availability: high

Description

AI Translation Available

Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 allows unauthenticated brute-force attacks via the TDDP password change endpoint (code=10), which lacks the rate limiting applied to the login endpoint (code=7). An attacker on the adjacent network can attempt unlimited passwords without triggering account lockout.

307

Improper Restriction of Excessive Authentication Attempts

Draft

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Access Control

Potential Impacts:

Bypass Protection Mechanism

Applicable Platforms

All platforms may be affected

View CWE Details

https://github.com/Tymbark7372/MERCUSYS-AC12G/blob/master/a…

https://github.com/Tymbark7372/MERCUSYS-AC12G/blob/master/advisories/CVE-2026-3…

CVE-2026-36607

Description

Improper Restriction of Excessive Authentication Attempts

Common Consequences

Applicable Platforms

Iscriviti alla newsletter