Mercusys AC12G Hardcoded WiFi Driver Credentials Vulnerability

A vulnerability exists in the Mercusys AC12G (EU) V1 router, specifically in the firmware version AC12G(EU)_V1_200909. This vulnerability involves hardcoded WiFi driver credentials embedded in the production firmware binary. The credentials include a RADIUS shared secret, a WPS test key, and a default Pre-Shared Key (PSK). These hardcoded credentials, left over from development and testing, could be activated under certain conditions, such as a failure in configuration or the enabling of specific wireless modes without proper key management.

Impact

The hardcoded credentials pose several risks: if WPA-Enterprise is used, the default RADIUS shared secret 'ralink' could allow for server impersonation. The default PSK of '12345678' for AP Client mode is easily guessable. Additionally, the presence of development IP addresses in the firmware could expose internal MediaTek infrastructure.

Remediation

No official fix is planned, but it is recommended to remove all development and test credentials from the production firmware, require explicit RADIUS key configuration when WPA-Enterprise is enabled, remove development infrastructure IP addresses from production builds, and disable or compile-gate plaintext credential logging.