Skip to main content

MR-GM5L-S1, MR-GM5A-L1 CVE-2026-24448

CRITICAL
Use of Hard-coded Credentials (CWE-798)
2026-03-11 vultures@jpcert.or.jp
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
Apr 30, 2026 - 16:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 30, 2026 - 16:22 vuln.today
cvss_changed
CVSS changed
Apr 30, 2026 - 16:22 NVD
9.8 (CRITICAL) 9.3 (CRITICAL)
Analysis Generated
Mar 12, 2026 - 22:06 vuln.today
CVE Published
Mar 11, 2026 - 06:17 nvd
CRITICAL 9.8

DescriptionCVE.org

Use of hard-coded credentials issue exists in MR-GM5L-S1 and MR-GM5A-L1, which may allow an attacker to obtain administrative access.

AnalysisAI

Hard-coded credentials in MR-GM5L-S1 and MR-GM5A-L1 enable remote unauthenticated attackers to gain administrative access with critical CVSS 9.3 score. The CWE-798 flaw allows complete system compromise through embedded default credentials that cannot be changed by users. EPSS score of 0.04% (14th percentile) suggests low observed exploitation probability despite the critical severity, though authentication bypass capabilities make this a priority for affected deployments.

Technical ContextAI

CWE-798 (Use of Hard-coded Credentials) represents credentials embedded directly in firmware or software that are identical across all product installations. These MRL-manufactured devices ship with unchangeable or poorly documented default administrative credentials, violating secure design principles. Hard-coded credentials persist across reboots and firmware updates unless explicitly patched, creating a permanent authentication bypass. The CVSS 4.0 vector (AV:N/AC:L/PR:N) confirms remote network accessibility with low attack complexity requiring no user privileges, making exploitation straightforward once credentials are discovered through reverse engineering, leaked documentation, or public disclosure.

Affected ProductsAI

MRL Corporation devices MR-GM5L-S1 and MR-GM5A-L1 are confirmed affected by hard-coded credential vulnerability. Specific firmware versions not detailed in available advisories. Japan Vulnerability Notes advisory JVNVU98103854 and MRL Corporation security bulletin (https://www.mrl.co.jp/download/security/JVNVU98103854.pdf) provide official vendor confirmation. No CPE data available for automated scanning. Vulnerability disclosed through Japan CERT coordination (vultures@jpcert.or.jp).

RemediationAI

Apply vendor-released firmware updates per MRL Corporation security advisory at https://www.mrl.co.jp/download/security/JVNVU98103854.pdf and review JVN advisory at https://jvn.jp/en/vu/JVNVU98103854/ for specific patch versions. Exact patched firmware version not specified in NVD data - consult vendor bulletin directly for version guidance. If firmware update unavailable or deployment schedule delayed, implement network segmentation to restrict device access to trusted management networks only, disable remote administrative interfaces if not operationally required (noting this may prevent remote management capabilities), and deploy network access controls requiring VPN or bastion host authentication before reaching device management ports. Monitor authentication logs for suspicious administrative login attempts using non-standard source IPs. Change any configurable credentials immediately, though core hard-coded credentials may persist until firmware patch.

Share

CVE-2026-24448 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy