Mercusys Router Password Change Endpoint Lacks Rate Limiting

CVE-2026-36607 exposes a critical authentication bypass vulnerability in Mercusys AC12G (EU) V1 routers where the TDDP password change endpoint fails to implement rate limiting protections. While the login endpoint (code=7) includes account lockout mechanisms, the password change endpoint (code=10) permits unlimited brute-force attempts from adjacent networks without triggering any defensive controls. This CVSS 8.8 vulnerability affects home and small office network administrators who rely on these routers for perimeter security, potentially allowing attackers to compromise router credentials and pivot into protected networks. The lack of rate limiting represents a fundamental authentication control failure (CWE-307) that undermines the entire security posture of affected devices.

While this CVE lacks direct MITRE ATT&CK technique mapping, Casky's 754 security skills mapped to the framework would detect attack patterns associated with T1110 (Brute Force) and T1021 (Remote Services) tactics. Practitioners using Casky would identify reconnaissance findings showing repeated password change requests originating from the same source IP, anomalous authentication patterns from adjacent network segments, and logs indicating systematic endpoint probing. The extended reasoning capabilities would correlate the absence of rate-limit headers in responses, differential timeout behavior between endpoints (code=7 vs code=10), and lack of account lockout events—flagging these as indicators of insufficient input validation and missing compensating controls that create exploitable attack surface.