Description
Hiseeu C90 v5.7.15 is vulnerable to Insecure Permissions. The UART bootloader is accessible when battery is disconnected (hidden/debug mode).
Published: 2026-05-13
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The UART bootloader on Hiseeu C90 firmware v5.7.15 is exposed when the battery is disconnected, revealing a hidden or debug mode that grants direct firmware programming access. This vulnerability, reflecting insecure permissions (CWE‑276), enables an attacker to reflash or tamper with the device’s firmware, potentially leading to proprietary code execution or persistent compromise of device integrity. The impact is inferred from the fact that bootloader access allows upgraded firmware to be loaded without authentication, thereby compromising confidentiality, integrity, and availability of the device’s software stack.

Affected Systems

All Hiseeu C90 units running firmware version 5.7.15 are affected. No other product versions or vendors were explicitly identified in the advisory. The lack of additional affected system information means that the scope of the vulnerability is limited to the mentioned firmware revision.

Risk and Exploitability

The exploitability requires the attacker to physically access the device and remove its power source, which is inferred from the description of battery disconnection enabling debug mode. The EPSS score is < 1% and the CVSS score is 6.8, and the vulnerability is not listed in CISA KEV. While physical access constraints reduce volume of potential attackers, the severity of the attack—granting root‑level firmware modification—remains high if such access is achieved.

Generated by OpenCVE AI on May 14, 2026 at 16:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Hiseeu C90 to a firmware revision that disables the UART bootloader or secures it with authentication controls.
  • If a vendor patch is not immediately available, permanently disable or lock the UART interface and any associated debug switches to prevent physical exploitation of the hidden mode.
  • Enforce secure boot or equivalent mechanisms to verify firmware integrity and ensure only authenticated firmware modules can execute.
  • Restrict physical access to the device, especially in environments where the battery can be disconnected by an adversary.

Generated by OpenCVE AI on May 14, 2026 at 16:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 16:45:00 +0000

Type Values Removed Values Added
Title UART Bootloader Accessible in Debug Mode During Battery Disconnection

Thu, 14 May 2026 15:45:00 +0000

Type Values Removed Values Added
Title UART Bootloader Access Enables Unauthorized Firmware Reflash
Weaknesses CWE-284

Thu, 14 May 2026 13:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-276
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 18:45:00 +0000

Type Values Removed Values Added
Title UART Bootloader Access Enables Unauthorized Firmware Reflash
Weaknesses CWE-284

Wed, 13 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description Hiseeu C90 v5.7.15 is vulnerable to Insecure Permissions. The UART bootloader is accessible when battery is disconnected (hidden/debug mode).
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-14T12:28:31.093Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36742

cve-icon Vulnrichment

Updated: 2026-05-14T12:25:37.217Z

cve-icon NVD

Status : Deferred

Published: 2026-05-13T16:16:40.977

Modified: 2026-05-14T13:16:17.527

Link: CVE-2026-36742

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T16:30:24Z

Weaknesses