Mercusys AC12G (EU) V1 Router Authentication Rate Limit Bypass Vulnerability via TDDP Password Change Endpoint

A vulnerability exists in the Mercusys AC12G (EU) V1 router, specifically in the TDDP password change endpoint, which allows for unauthenticated brute-force attacks. This issue arises because the password change endpoint lacks the rate limiting found on the login endpoint, enabling an attacker on the adjacent network to attempt unlimited password guesses without triggering an account lockout. The vulnerability affects routers running the AC12G(EU)_V1_200909 firmware, and has been tested on this version as well as AC12G(EU)_V1_210128.

Impact

Exploitation of this vulnerability could lead to full administrative access on the router, allowing for unauthorized changes to the device's configuration and management of network resources. The absence of a lockout or detection mechanism means that users are not alerted to the ongoing attack. This vulnerability can be exploited by any device on the local area network, including compromised IoT devices.

Reproduction

The vulnerability can be reproduced by sending a series of password change requests to the TDDP password change endpoint (code=10) via the router's HTTP interface. The endpoint will process the requests without any rate limiting or lockout, allowing for rapid brute-force attempts at guessing the admin password. This can be done at a speed of approximately 700 to 1500 passwords per second, with no account lockout observed after over one million consecutive attempts.

Remediation

To address this vulnerability, it is recommended to apply the same rate limiting to the password change endpoint (code=10) that is currently in place on the login endpoint (code=7). Additionally, password change requests should require an active authenticated session before being processed, and account lockout mechanisms should be implemented across all endpoints that validate authentication.