Post

Post 02 | Waveshare RS232/485 Gateway: Authentication Bypass via Blank Credentials (CVE-2025-63362)

Posted
By Abhishek Pandey
2 min read

1. Executive Summary

A vulnerability in the Waveshare RS232/485 TO WIFI ETH (B) gateway allows authentication bypass when the administrator username and password are configured as blank values, disabling authentication entirely and granting unrestricted administrative access.

  • CVE ID: CVE-2025-63362
  • CVSS v3.1 Base Score: 9.8 (Critical) — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVSS v4.0 Base Score: 9.3 (Critical) — CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H
  • Attention: Exploitable remotely / no authentication required
  • Vendor: Waveshare Electronics
  • Equipment: Waveshare RS232/485 TO WIFI ETH (B)
  • Vulnerability: Authentication Bypass via Blank Administrator Credentials
  • CSAF Document: View CSAF

2. Risk Evaluation

The vulnerability presents severe risk because:

  • Any remote attacker can obtain full administrative control with no credentials.
  • Configuration tampering may disrupt serial routing and industrial communication workflows.
  • Unauthorized users can modify key network and Wi-Fi settings, enabling deeper compromise.
  • Operational visibility and safety may be affected in ICS/IIoT environments.

3. Technical Details

3.1 Affected Products

  • Waveshare RS232/485 TO WIFI ETH (B)
    • Firmware Version: V3.1.1.0
    • Hardware Version: 4.3.2.1
    • Web Interface: V7.04T.07.002880.0301

3.2 Vulnerability Description

The endpoint /EN/do_cmd.html accepts blank administrator credential fields:

  • admuser — administrator username
  • SYSPS — administrator password

The device performs no validation to ensure the parameters are non-empty.

Example vulnerable request:

1
2

POST /EN/do_cmd.html
admuser=&SYSPS=

When both values are blank:

  • The device stores the empty credentials.
  • The authentication routine treats empty strings as valid.
  • All authentication on web and Telnet interfaces becomes bypassed.

This creates a universal access condition for any remote attacker.

3.3 Attack Scenarios

  • Scenario 1 — Remote unauthenticated takeover

    An attacker sends a request setting blank credentials and then logs in without a password.

  • Scenario 2 — Opportunistic exploitation

    If a legitimate user misconfigures the device (leaving credentials blank), the attacker simply browses to the web UI and gains full access.

  • Scenario 3 — Telnet control

    Once bypassed, Telnet access becomes unrestricted if enabled, allowing manipulation of low-level device operations.

4. Mitigations

4.1 User Recommendations

  • Ensure administrator credentials are never blank
  • Restrict management access via firewalls and VLAN segmentation
  • Disable Telnet if not required
  • Follow CISA ICS security guidance: https://www.cisa.gov/news-events/ics-alerts/ics-alert-10-301-01

4.2 Vendor Recommendations

  • Enforce mandatory non-empty credentials
  • Block saving empty configuration values
  • Implement password complexity requirements

5. Disclosure Timeline

  • 16 Sep 2025 — Initial report submitted
  • 23 Sep 2025 — Vendor acknowledgment
  • 23–27 Sep 2025 — Researcher remediation request; no timeline provided
  • 27 Sep 2025 — Escalation notification
  • 29 Sep 2025 — Submitted to MITRE
  • 10 Nov 2025 — CVE reserved
  • 11 Nov 2025 — Public disclosure

6. Background

This gateway is used in:

  • Industrial automation (PLC/RTU/SCADA serial bridges)
  • IIoT telemetry & sensor networks
  • Remote monitoring systems
  • Embedded development and maker ecosystems

7. Researcher

Abhishek Pandey
Payatu Security Consulting Pvt. Ltd.

Advisory
Waveshare IoT Security ICS Security Auth Bypass Credential Misconfiguration Administrative Access Payatu Research CVE-2025-63362
This post is licensed under CC BY-NC-ND 4.0 license by the author.