An unauthenticated brute-force vulnerability in the Mercusys AC12G router firmware allows attackers to bypass password change protections, posing a significant risk of unauthorized device takeover.

This vulnerability resides in the TDDP password change endpoint (code=10), which fails to implement the rate limiting found on the standard login endpoint. An attacker on the adjacent network can perform unlimited password guessing attempts without triggering account lockout mechanisms.

With a CVSS score of 8.8, this high-severity vulnerability could lead to a complete compromise of the router. Successful exploitation grants an attacker full control over the network traffic, potentially leading to unauthorized data interception, device reconfiguration, and lateral movement into the local network.

Immediate Action: Consult the vendor security advisory at https://www.mercusys.com/en/support/security-advisory to identify and apply the latest firmware updates.

Proactive Monitoring: Review router access logs for high-frequency requests to the TDDP endpoint originating from internal or adjacent network IP addresses.

Compensating Controls: Restrict management access to the router to trusted administrative IP addresses only, and isolate the management interface from the public-facing or guest network segments.

Public Exploit Available: false

The absence of rate limiting on critical administrative endpoints represents a significant security oversight. Administrators should prioritize updating the firmware immediately to eliminate the brute-force vector and secure the device against unauthorized access.