Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7.04T.07.002880.0301 allows attackers to set the Administrator password and username as blank values, allowing attackers to bypass authentication.
The device's web interface (configuration page) does not validate the correctness of entered authentication data — it allows setting empty values for the administrator username and password fields (CWE-620: Unverified Password Change). An attacker can intentionally zero out the login credentials and then gain access to the administrative panel without providing any credentials. The attack requires no user interaction or prior authentication and can be conducted remotely over the network.
An attacker gains full administrative access to the device, enabling changes to network configuration and serial data transmission, potential takeover of connected OT/ICS devices, and breach of system confidentiality, integrity, and availability.
Apply patches available from the manufacturer according to references. Until the fix is deployed, it is recommended to isolate the device from untrusted networks (network segmentation, firewall), and access to the web interface should be restricted exclusively to trusted hosts or management networks.
Waveshare RS232/485 TO WIFI ETH (B) with firmware V3.1.1.0, hardware version 4.3.2.1, and web interface Webpage V7.04T.07.002880.0301
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HWaveshare Rs232\/485 To Wifi Eth \(b\)
HWWaveshare4.3.2.1Waveshare Rs232\/485 To Wifi Eth \(b\) Firmware
OSWaveshare3.1.1.0
Related vulnerabilities
A lack of Management Frame Protection in Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway ...
Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7...
Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7...