Post

Post 01 | Waveshare RS232/485 Gateway: Plaintext Admin Password Exposure (CVE-2025-63361)

Posted
By Abhishek Pandey
3 min read

1. Executive Summary

A vulnerability in the Waveshare RS232/485 TO WIFI ETH (B) device exposes the administrator password in plaintext within the web management interface. This occurs due to insecure UI design and plaintext embedding of sensitive values in HTML responses.

  • CVE ID: CVE-2025-63361
  • CVSS v3.1 Base Score: 5.7 (Medium) — AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
  • CVSS v4.0 Base Score: 6.9 (Medium) — CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N
  • Attention: Exploitable remotely / low attack complexity
  • Vendor: Waveshare Electronics
  • Equipment: Waveshare RS232/485 TO WIFI ETH (B) Serial-to-Ethernet/Wi-Fi Gateway
  • Vulnerability: Insufficiently Protected Administrator Credentials (Plaintext Password Exposure)
  • CSAF Document: View CSAF

2. Risk Evaluation

The vulnerability significantly increases risk because:

  • The administrator password is fully exposed in the UI and HTML source.
  • Any authenticated user—even with minimal privileges—can extract the password.
  • An attacker who compromises a low-privileged user account can escalate to full administrative control.
  • Exposure may occur through shoulder surfing, browser screenshotting, remote viewing tools, shared terminals, or cached UI content.
  • Attackers may use the obtained credentials to reconfigure networking parameters, serial routing logic, Telnet access, or Wi-Fi SSID settings.

In ICS or IIoT deployments, this may enable operational disruption, network pivoting, or unauthorized data interception.

3. Technical Details

3.1 Affected Products

The vulnerability affects:

  • Waveshare RS232/485 TO WIFI ETH (B)
    • Firmware Version: V3.1.1.0
    • Hardware Version: 4.3.2.1
    • Web Interface: V7.04T.07.002880.0301

3.2 Vulnerability Description

The administrator password (SYSPS) is displayed via:

1

<input type="text" name="SYSPS" value="admin123">

Technical issues include:

  • The password field is incorrectly implemented as type="text" instead of type="password".
  • Backend responses embed the password in plaintext inside HTML.
  • Browsers automatically cache this field, creating additional side-channel exposure.
  • Developer consoles and DOM inspection reveal the password with no obfuscation.
  • No encryption, hashing, or masking is applied at any stage of display.

3.3 Attack Scenarios

  • Scenario 1: Low-privilege user escalates A technician with limited access enters the configuration page and obtains the admin password from the rendered input field.

  • Scenario 2: Shoulder surfing Operators in factory floors, labs, or field sites access the web UI while others observe.

  • Scenario 3: Remote desktop compromise If a workstation used to access the UI is compromised, attackers can extract cached HTML containing the password.

  • Scenario 4: Shared kiosk or maintenance machine Cached browser content reveals the credential to subsequent users.

4. Mitigations

4.1 User Recommendations

  • Restrict management interface access to isolated management VLANs.
  • Avoid exposing the device to untrusted or public networks.
  • Disable browser auto-fill and clear cache after administrative sessions.
  • Implement network segmentation per CISA guidance: https://www.cisa.gov/news-events/ics-alerts/ics-alert-10-301-01
  • Use dedicated secured workstations for device configuration.
  • Enforce strong physical access control to devices and terminals.

4.2 Vendor Recommendations

  • Replace password fields with properly masked UI elements.
  • Remove plaintext passwords from backend HTML responses.
  • Use secure credential storage (hashed/salted).
  • Implement API-level separation for password updates without reading existing values.
  • Introduce TLS support to avoid plaintext transport of sensitive fields.

5. Disclosure Timeline

  • 16 Sep 2025 — Researcher submitted the initial vulnerability report to Waveshare.
  • 23 Sep 2025 — Vendor acknowledged receipt of the report.
  • 23–27 Sep 2025 — Researcher requested details regarding triage timeline and CVD process; vendor provided no remediation timeline.
  • 27 Sep 2025 — Researcher notified vendor that disclosure would proceed through MITRE.
  • 29 Sep 2025 — Vulnerability reported to MITRE for CVE assignment.
  • 10 Nov 2025 — CVE reserved.
  • 11 Nov 2025 — Public advisory released.

6. Background

This gateway is used in:

  • PLC/RTU integrations in industrial automation.
  • IIoT sensor networks and telemetry applications.
  • Smart metering and remote field-device connectivity.
  • Maker and embedded development ecosystems.
  • Access control and building automation systems.

Credentials exposure in such environments may create opportunities for lateral movement, configuration sabotage, or data interception.

7. Researcher

Abhishek Pandey
Payatu Security Consulting Pvt. Ltd.

Advisory
Waveshare IoT Security ICS Security Serial Gateways Credential Exposure Plaintext Password Web Interface Security Payatu Research CVE-2025-63361
This post is licensed under CC BY-NC-ND 4.0 license by the author.