Mercusys AC12G Plaintext Transmission of DDNS Credentials Vulnerability

A vulnerability exists in the Mercusys AC12G (EU) V1 router, specifically in the firmware version AC12G(EU)_V1_200909. The router's Dynamic Domain Name System (DDNS) client transmits user credentials, including usernames and passwords, to external DDNS providers over unencrypted HTTP. While the credentials are encoded in Base64 and sent in the 'Authorization: Basic' header, this encoding is easily reversible. The absence of any SSL/TLS implementation in the firmware allows for man-in-the-middle interception of these DDNS service credentials. This vulnerability affects users of DynDNS and No-IP services, as the intercepted credentials could be reused if shared with other services.

Impact

Exploitation of this vulnerability exposes DDNS credentials to any network observer between the router and the DDNS provider. The lack of TLS in the firmware means this issue cannot be resolved through configuration changes. Additionally, there is a risk of credential reuse if DDNS credentials are shared with other services.

Remediation

Users are advised to implement TLS for all outbound HTTP connections that carry authentication credentials. At a minimum, routers should support HTTPS endpoints for DDNS providers, as both DynDNS and No-IP offer HTTPS.