MR-GM5L-S1, MR-GM5A-L1 CVE-2026-24448
CRITICALSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
Use of hard-coded credentials issue exists in MR-GM5L-S1 and MR-GM5A-L1, which may allow an attacker to obtain administrative access.
AnalysisAI
Hard-coded credentials in MR-GM5L-S1 and MR-GM5A-L1 enable remote unauthenticated attackers to gain administrative access with critical CVSS 9.3 score. The CWE-798 flaw allows complete system compromise through embedded default credentials that cannot be changed by users. EPSS score of 0.04% (14th percentile) suggests low observed exploitation probability despite the critical severity, though authentication bypass capabilities make this a priority for affected deployments.
Technical ContextAI
CWE-798 (Use of Hard-coded Credentials) represents credentials embedded directly in firmware or software that are identical across all product installations. These MRL-manufactured devices ship with unchangeable or poorly documented default administrative credentials, violating secure design principles. Hard-coded credentials persist across reboots and firmware updates unless explicitly patched, creating a permanent authentication bypass. The CVSS 4.0 vector (AV:N/AC:L/PR:N) confirms remote network accessibility with low attack complexity requiring no user privileges, making exploitation straightforward once credentials are discovered through reverse engineering, leaked documentation, or public disclosure.
Affected ProductsAI
MRL Corporation devices MR-GM5L-S1 and MR-GM5A-L1 are confirmed affected by hard-coded credential vulnerability. Specific firmware versions not detailed in available advisories. Japan Vulnerability Notes advisory JVNVU98103854 and MRL Corporation security bulletin (https://www.mrl.co.jp/download/security/JVNVU98103854.pdf) provide official vendor confirmation. No CPE data available for automated scanning. Vulnerability disclosed through Japan CERT coordination (vultures@jpcert.or.jp).
RemediationAI
Apply vendor-released firmware updates per MRL Corporation security advisory at https://www.mrl.co.jp/download/security/JVNVU98103854.pdf and review JVN advisory at https://jvn.jp/en/vu/JVNVU98103854/ for specific patch versions. Exact patched firmware version not specified in NVD data - consult vendor bulletin directly for version guidance. If firmware update unavailable or deployment schedule delayed, implement network segmentation to restrict device access to trusted management networks only, disable remote administrative interfaces if not operationally required (noting this may prevent remote management capabilities), and deploy network access controls requiring VPN or bastion host authentication before reaching device management ports. Monitor authentication logs for suspicious administrative login attempts using non-standard source IPs. Change any configurable credentials immediately, though core hard-coded credentials may persist until firmware patch.
Same weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today