Vulnerability
Insufficiently Protected Credentials / UI Exposure of Secrets: Web Management Interface (M2M Web Server) Displays Administrator Password in Plaintext Input Field.
Vulnerability Description
The web interface of the Waveshare RS232/485 TO WIFI ETH (B) Serial-to-Ethernet/Wi-Fi Gateway (Firmware V3.1.1.0, HW 4.3.2.1, Webpage V7.04T.07.002880.0301) displays the administrator password in plaintext.
The password field (SYSPS) is rendered as <input type=”text”>, allowing anyone with web access or developer-tool visibility to read credentials
Impact
Exposes valid administrator credentials, enabling device compromise.
CVE-ID
CVE-2025-63361
Vendor
Waveshare Electronics
Product
| Product Name | Affected Version |
| RS232/485 TO WIFI ETH (B) | Firmware V3.1.1.0 (HW 4.3.2.1, Webpage V7.04T.07.002880.0301) |
CWE
CWE-522 – Insufficiently Protected Credentials
CWE-256 – Unprotected Storage of Credentials
CVSS v3.1 Scoring
- Base Score: 6.5 (Medium)
- Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Disclosure Timeline
16 Sep 2025 — Initial report sent via Waveshare support portal with full disclosure report.
- 23 Sep 2025 — Vendor acknowledged receipt.
- 23 Sep 2025 — Researcher requested remediation timeline, CVD process, and CVE coordination details.
- 24 Sep 2025 — Vendor replied: “Information received; feedback will be taken into account in future research.”
- 24 Sep 2025 — Researcher requested confirmation on CVD process and timeline.
- 27 Sep 2025 — Vendor responded: “No specific timeline can be provided; security feedback will be considered in subsequent products.”
- 27 Sep 2025 — Researcher informed vendor case would be reported to MITRE for CVE assignment.
- 29 Sep 2025 — Reported to MITRE for CVE assignment.
- 10 Nov 2025 — CVE ID reserved.
- 11 Nov 2025 — Public advisory released by Payatu.
Credits
Abhishek Pandey – Payatu Security Consulting Pvt. Ltd.
