Post 03 | Waveshare RS232/485 Gateway: Wi-Fi Deauthentication DoS (CVE-2025-63363)
1. Executive Summary
CVSS v3.1 Base Score: 7.5 (High) — AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS v4.0 Base Score: 8.7 (High) — CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H
CVE ID: CVE-2025-63363
ATTENTION: Exploitable by any attacker within wireless range / no authentication required
Vendor: Waveshare Electronics
Equipment: Waveshare RS232/485 TO WIFI ETH (B) Serial-to-Ethernet/Wi-Fi Gateway
Vulnerability: Missing IEEE 802.11w Management Frame Protection (MFP), enabling forged deauthentication and disassociation attacks
The Waveshare RS232/485 TO WIFI ETH (B) device does not implement IEEE 802.11w Management Frame Protection. As a result, the device accepts unauthenticated deauthentication and disassociation frames, allowing attackers within Wi-Fi range to disconnect legitimate clients and cause sustained denial-of-service (DoS).
2. Risk Evaluation
This vulnerability is classified as High severity due to:
- No authentication required to exploit
- Attack possible from any attacker within wireless proximity
- Repeated deauth frames can fully disrupt the device’s wireless function
- Disruption may sever serial-to-IP communication paths
- In industrial automation or IIoT settings, DoS can interrupt telemetry, alarms, or PLC/RTU data flow
Attacks are silent, continuous, and difficult to detect without wireless intrusion monitoring.
3. Technical Details
3.1 Affected Products
- Waveshare RS232/485 TO WIFI ETH (B)
- Firmware: V3.1.1.0
- Hardware: 4.3.2.1
- Web UI: V7.04T.07.002880.0301
3.2 Vulnerability Description
The device does not support IEEE 802.11w MFP.
As a result:
- Management frames (including deauth & disassoc) are not authenticated
- Any attacker with a Wi-Fi interface in monitor/injection mode can craft forged frames
- The device and clients accept these as legitimate
Example attack pattern:
1
2
3
Deauthentication frame:
Source: spoofed AP MAC
Reason Code: 7 (Class 3 frame received from nonassociated station)
Attack tools such as aireplay-ng, mdk4, or scapy can repeatedly send forged frames, keeping clients disconnected indefinitely.
3.3 Attack Scenarios
Scenario 1 — Continuous DoS
An attacker runs a loop sending forged deauth frames, preventing all Wi-Fi clients from reconnecting.
Scenario 2 — Intermittent operational disruption
The attacker disrupts communications during critical automation workflows, such as PLC polling.
Scenario 3 — Combined with other vulnerabilities
If combined with the cleartext credential exposure (CVE-2025-63364), attackers can sniff admin logins while forcing reconnections.
4. Mitigations
User Recommendations
- Prefer wired Ethernet for critical deployments.
- Place device Wi-Fi on isolated or low-trust networks.
- Deploy wireless IDS systems to detect abnormal deauth activity.
- Follow CISA ICS hardening guidance:
https://www.cisa.gov/news-events/ics-alerts/ics-alert-10-301-01 - Limit RF exposure by lowering transmit power or relocating APs.
Vendor Recommendations
- Implement IEEE 802.11w MFP support.
- Validate deauth and disassoc frames.
- Add rate-limiting and anomaly detection for unprotected management frames.
- Provide logging options for Wi-Fi security events.
5. Disclosure Timeline
- 16 Sep 2025 — Initial report sent to Waveshare
- 23 Sep 2025 — Vendor acknowledged report
- 23–27 Sep 2025 — Researcher requested CVD details; no remediation timeline offered
- 27 Sep 2025 — Researcher escalated to MITRE
- 29 Sep 2025 — Reported to MITRE for CVE assignment
- 10 Nov 2025 — CVE reserved
- 11 Nov 2025 — Public disclosure
6. Background
Waveshare’s RS232/485 gateway is widely deployed in:
- industrial automation networks
- IIoT sensor and telemetry systems
- building automation and access control
- embedded development/test labs
Reliable Wi-Fi is crucial in these environments; lack of MFP exposes them to trivial DoS.
7. Researcher
Ranit Pradhan
Abhishek Pandey
Payatu Security Consulting Pvt. Ltd.