Description
Use of hard-coded credentials issue exists in MR-GM5L-S1 and MR-GM5A-L1, which may allow an attacker to obtain administrative access.
Published: 2026-03-11
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Administrative Access
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a hard‑coded credentials flaw in the MR‑GM5L‑S1 and MR‑GM5A‑L1 devices, catalogued as CWE-798. It enables an attacker who can reach the device’s management interface to log in with predetermined credentials and gain full administrative control, potentially allowing configuration changes, data exfiltration, or deployment of malicious firmware.

Affected Systems

Vendor: Micro Research Ltd. Products: MR‑GM5L‑S1 and MR‑GM5A‑L1. Specific affected firmware versions are not listed in the CVE record, so all firmware variants of these models should be considered vulnerable until the vendor publishes a fix.

Risk and Exploitability

The CVSS score of 9.3 indicates critical severity, while the EPSS score of less than 1% suggests low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation is possible over the network due to the presence of hard‑coded credentials; no additional authentication is required beyond accessing the device’s administrative interface.

Generated by OpenCVE AI on March 17, 2026 at 15:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check Micro Research Ltd. website for firmware updates or patches that remove hard‑coded credentials.
  • If no patch is available, isolate the devices from untrusted networks or disable external management access.
  • Change any default administrator credentials to strong, unique passwords.
  • Apply network segmentation and firewall rules to restrict access to the device management interfaces.

Generated by OpenCVE AI on March 17, 2026 at 15:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
Title Hard‑Coded Credentials Grant Administrative Access on MR‑GM5L‑S1 and MR‑GM5A‑L1 Devices

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Micro Research
Micro Research mr-gm5a-l1
Micro Research mr-gm5l-s1
Vendors & Products Micro Research
Micro Research mr-gm5a-l1
Micro Research mr-gm5l-s1

Wed, 11 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description Use of hard-coded credentials issue exists in MR-GM5L-S1 and MR-GM5A-L1, which may allow an attacker to obtain administrative access.
Weaknesses CWE-798
References
Metrics cvssV3_0

{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Micro Research Mr-gm5a-l1 Mr-gm5l-s1
cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-03-11T15:39:46.530Z

Reserved: 2026-03-10T01:22:57.438Z

Link: CVE-2026-24448

cve-icon Vulnrichment

Updated: 2026-03-11T15:39:25.458Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-11T06:17:13.697

Modified: 2026-03-11T13:52:47.683

Link: CVE-2026-24448

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:37:53Z

Weaknesses