Merck'd-U!

Request for CVE and full disclosure of 0-Click/1-Click RCE in default ISP routers (Mercku M6a)

Introduction

Router vulnerabilities continue to pose significant threats to home networks. Today, I’ll document a series of critical flaws discovered in Mercku routers, specifically the M6a model, that could allow attackers to achieve remote code execution with minimal effort. This has been tested and confirmed against version 2.1.0 of the official firmware. This is also an informal escalation for CVEs for these vulnerabilities. (CVE Request 1744791)