Mercusys AC12G (EU) V1 Router Hardcoded DES Key Vulnerability in Backup Encryption

A vulnerability exists in the Mercusys AC12G (EU) V1 router, specifically in the firmware version AC12G(EU)_V1_200909. The router encrypts configuration backup files using a hardcoded DES key in ECB mode, a method that is no longer considered secure. This encryption flaw allows an attacker who obtains a backup file to decrypt it and access sensitive information, including the admin password, WiFi pre-shared keys, PPPoE credentials, and DDNS information. The same DES key is used across various TP-Link and Mercusys devices, amplifying the risk of credential exposure.

Impact

Exploitation of this vulnerability leads to the complete exposure of all stored credentials in the decrypted backup file, including the admin password, WiFi WPA2 pre-shared keys, PPPoE username and password, DDNS credentials, and guest network credentials. Additionally, the use of DES encryption, which is cryptographically broken, further compounds the vulnerability, as the 56-bit effective key can be brute-forced. The vulnerability is also notable for its application across multiple TP-Link and Mercusys product lines, increasing the potential impact.