Cleartext Transmission of Administrator Credentials via HTTP Basic Authentication on Waveshare RS232/485 TO WIFI ETH (B)  

Vulnerability 

Cleartext Transmission of Credentials / Unprotected Transport: 
Credentials are transmitted via HTTP Basic Authentication in plaintext over unencrypted HTTP. 

Vulnerability Description 

The embedded web interface of the Waveshare Industrial-grade Serial Server-to-Wi-Fi gateway devices uses HTTP Basic Authentication over plaintext HTTP. Administrator credentials are transmitted as Base64-encoded strings within the Authorization header. Base64 is an encoding method, not encryption, and can be trivially decoded by an attacker monitoring network traffic.

The device does not offer HTTPS/TLS support, exposing user credentials to passive interception by any attacker on the same network. This leads to direct compromise of authentication, confidentiality, and enables unauthorized access to sensitive OT configuration interfaces.  

This behavior violates secure transport principles and exposes administrative operations in ICS environments to interception, credential theft, and unauthorized system reconfiguration.  

Impact 

Intercepted credentials enable remote administrative access. 

CVE ID 

CVE-2025-63364 

Vendor 

Waveshare Electronics 

Product 

CWE 

CWE-319 – Cleartext Transmission of Sensitive Information 
CWE-523 – Unprotected Transport of Credentials 

CVSS v3.1 Scoring 

• Base Score: 7.5 (High) 

• Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 

Disclosure Timeline 

• 16 Sep 2025 — Initial report sent via Waveshare support portal with full disclosure report. 

• 23 Sep 2025 — Vendor acknowledged receipt. 

• 23 Sep 2025 — Researcher requested remediation timeline, CVD process, and CVE coordination details. 

• 24 Sep 2025 — Vendor replied: “Information received; feedback will be taken into account in future research.” 

• 24 Sep 2025 — Researcher requested confirmation on CVD process and timeline. 

• 27 Sep 2025 — Vendor responded: “No specific timeline can be provided; security feedback will be considered in subsequent products.” 

• 27 Sep 2025 — Researcher informed vendor case would be reported to MITRE for CVE assignment. 

• 29 Sep 2025 — Reported to MITRE for CVE assignment. 

• 10 Nov 2025 — CVE ID reserved. 

• 11 Nov 2025 — Public advisory released by Payatu. 

Credits 

Abhishek Pandey – Payatu Security Consulting Pvt. Ltd.