Authentication Bypass via Blank Credentials in Waveshare RS232/485 TO WIFI ETH (B) 

Vulnerability 

Improper Authentication / Authentication Bypass: 
Improper Authentication / Authentication Bypass :Device allows Administrator username and password to be set to blank values, disabling authentication on Web and Telnet interfaces.  

Vulnerability Description 

The CGI handler /EN/do_cmd.html fails to validate the admuser and SYSPS parameters. 
If both are left blank, the authentication check is bypassed, granting unauthenticated administrative access. 

Impact 

Unauthenticated attackers can fully control the device, alter network settings, and upload firmware. 

CVE ID 

CVE-2025-63362 

Vendor 

Waveshare Electronics 

Product 

CWE 

CWE-521 – Weak Passwords (Blank or Default Credentials) 
CWE-287 – Improper Authentication 

CVSS v3.1 

• Base Score: 9.8 (Critical) 

• Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 
   

Disclosure Timeline 

• 16 Sep 2025 — Initial report sent via Waveshare support portal with full disclosure report. 

• 23 Sep 2025 — Vendor acknowledged receipt. 

• 23 Sep 2025 — Researcher requested remediation timeline, CVD process, and CVE coordination details. 

• 24 Sep 2025 — Vendor replied: “Information received; feedback will be taken into account in future research.” 

• 24 Sep 2025 — Researcher requested confirmation on CVD process and timeline. 

• 27 Sep 2025 — Vendor responded: “No specific timeline can be provided; security feedback will be considered in subsequent products.” 

• 27 Sep 2025 — Researcher informed vendor case would be reported to MITRE for CVE assignment. 

• 29 Sep 2025 — Reported to MITRE for CVE assignment. 

• 10 Nov 2025 — CVE ID reserved. 

• 11 Nov 2025 — Public advisory released by Payatu. 

Credits 

Abhishek Pandey – Payatu Security Consulting Pvt. Ltd.