The Mercusys AC12G (EU) V1 router firmware version AC12G(EU)_V1_200909 transmits DDNS credentials without encryption, relying solely on Base64 encoding over plaintext HTTP. Because the firmware does not implement TLS, an attacker with network access can intercept these credentials via man-in-the-middle attacks. This vulnerability is categorized under CWE-319 (Cleartext Transmission of Sensitive Information) and CWE-523 (Unprotected Transport of Credentials). There is no vendor advisory or patch information available, and no known exploits in the wild have been reported.

An attacker positioned on the same network path can intercept DDNS credentials transmitted in cleartext, potentially allowing unauthorized access to the DDNS service associated with the device. This compromises confidentiality of authentication data but does not directly affect device integrity or availability.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, avoid using the affected firmware version on untrusted networks or consider disabling DDNS functionality if possible. Network segmentation or use of VPNs may reduce exposure but do not fully mitigate the lack of encryption in credential transmission.