Description
GNCC GP5 v7.1.76 was discovered to store sensitive wireless network information in plaintext during routine operations to the serial console. This issue allows physically-proximate attackers to obtain sensitive information, including network credentials, via monitoring the serial UART interface.
Published: 2026-06-04
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from GNCC GP5 firmware that writes wireless network credentials and related sensitive data in clear text to the serial UART stream during routine operations. This flaw creates a direct data leak that can be read by anyone with physical proximity to the UART interface, allowing an attacker to recover passwords and network configuration details. The weakness is a classic example of information exposure, potentially enabling unauthorized network access for the attacker.

Affected Systems

Devices powered by GNCC GP5 firmware version 7.1.76 are affected. The issue is confined to the device’s serial console subsystem, and no other firmware or hardware components are explicitly mentioned in the data.

Risk and Exploitability

The EPSS score is below 1%, indicating a very low probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no known public exploits. Because it requires only physical proximity to the device’s UART interface, the attack vector is low‑barrier and can be executed with minimal tools. In environments where physical security is weak, the risk of credential compromise remains significant. The CVSS score of 4.6 points to moderate severity.

Generated by OpenCVE AI on June 8, 2026 at 17:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable the serial console or restrict its access to trusted personnel only
  • Reconfigure the device firmware to remove or encrypt wireless credential output in logs
  • Physically secure or shield the UART port to prevent unauthorized reading

Generated by OpenCVE AI on June 8, 2026 at 17:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Title Plaintext Storage of Wireless Credentials on Serial Console
Weaknesses CWE-200

Mon, 08 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-256
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Gncc
Gncc gp5
Vendors & Products Gncc
Gncc gp5

Thu, 04 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Title Plaintext Storage of Wireless Credentials on Serial Console
Weaknesses CWE-200

Thu, 04 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Description GNCC GP5 v7.1.76 was discovered to store sensitive wireless network information in plaintext during routine operations to the serial console. This issue allows physically-proximate attackers to obtain sensitive information, including network credentials, via monitoring the serial UART interface.
References

Subscriptions

Gncc Gp5
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-08T14:00:45.789Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36174

cve-icon Vulnrichment

Updated: 2026-06-08T13:59:36.959Z

cve-icon NVD

Status : Deferred

Published: 2026-06-04T15:16:51.093

Modified: 2026-06-08T15:16:45.077

Link: CVE-2026-36174

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T17:30:06Z

Weaknesses
  • CWE-256

    Plaintext Storage of a Password