Mercusys AC12G (EU) V1 Router HTTP Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Mercusys AC12G (EU) V1 router, specifically in the firmware version AC12G(EU)_V1_200909. The issue arises in the router's HTTP server, which has a limited connection pool and no timeout for incomplete requests. By sending approximately 50 concurrent TCP connections with slow or incomplete HTTP headers, all available connection slots can be exhausted. This causes the HTTP server to become permanently unresponsive, requiring a physical power cycle to restore functionality. The UPnP service on port 1900 also crashes, indicating a shared resource issue.

Impact

Exploitation of this vulnerability locks the router administrator out of the web management interface, which becomes permanently unresponsive. The UPnP service also fails, while other functions like DNS and internet routing remain operational. Recovery is not possible through remote means; the router must be physically power-cycled to restore the web interface.

Reproduction

The vulnerability can be reproduced by opening approximately 50 concurrent TCP connections to the router's HTTP server with slow or incomplete HTTP headers. This exhausts the connection pool, causing the HTTP service to become unresponsive. The UPnP service on port 1900 will also crash simultaneously.

Remediation

No official fix is planned for this vulnerability, as the product is considered end-of-life. However, users can manually power cycle the router to restore the web interface.