Severity by source
AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from Vendor (mitre) · only source for this CVE.
CVSS VectorVendor: mitre
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
A lack of runtime integrity in GNCC GP5 v7.1.76 allows physically-proximate attackers to bypass file system read-only protections and modify system files and binaries for the duration of a boot session via a bind-mount attack.
AnalysisAI
Runtime integrity bypass on GNCC GP5 firmware v7.1.76 enables a physically-proximate unauthenticated attacker to circumvent file system read-only protections via a bind-mount attack, allowing arbitrary modification of system files and binaries for the current boot session. The device, an IoT platform, lacks enforcement of filesystem immutability at runtime, meaning a read-only mount can be shadowed by a writable bind-mount without detection. No public exploit has been confirmed beyond the published IoT vulnerability research linked in references, and exploitation probability is very low at 0.02% EPSS (4th percentile), consistent with the physical-access requirement.
Technical ContextAI
The GNCC GP5 (firmware v7.1.76) is an IoT device that relies on a read-only filesystem as a runtime integrity control - a common hardening pattern for embedded systems intended to prevent persistent tampering. A bind-mount attack exploits Linux's mount namespace primitives: an attacker with shell access to the device can execute 'mount --bind /attacker-controlled-path /target-system-path', layering a writable filesystem over a path that is nominally read-only, effectively bypassing the protection without modifying the underlying storage. The root cause is the absence of runtime integrity verification (e.g., dm-verity, IMA/EVM, or similar kernel-enforced mechanisms) that would detect or prevent such mount-namespace manipulation. CWE data is not assigned by NVD for this entry. The CPE string in the NVD record is placeholder ('n/a n/a'), meaning no formal CPE enumeration has been published - affected product scope is derived from the description and researcher disclosure alone. The 'Authentication Bypass' tag in ENISA EUVD reflects the circumvention of the read-only filesystem control, not a traditional credential bypass.
RemediationAI
No vendor-released patch or advisory has been identified at time of analysis - no specific fix version is referenced in any of the linked sources, and the vendor domains (http://gncc.com, http://gp5.com) do not link to an advisory. The IoT vulnerability research disclosure at https://github.com/BadChemical/IoT-Vulnerability-Research-Public/blob/main/GNCC-GP5-T23/README.md should be consulted for researcher-recommended mitigations. Compensating controls for operators who cannot immediately patch include: restricting physical access to GP5 devices (locked enclosures, tamper-evident seals) to eliminate the physical attack vector entirely; enabling Secure Boot if supported by the hardware to prevent boot-time filesystem manipulation; deploying dm-verity or equivalent kernel-level integrity enforcement on the root filesystem, which cryptographically verifies block-level data and cannot be bypassed by bind-mount; and monitoring for unexpected mount namespace changes via audit daemon rules if logging infrastructure is available. Note that bind-mount restriction via mount namespace isolation (user namespaces disabled) may also reduce attack surface but could impact legitimate device functionality. Contact GNCC for official patch status.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34281
GHSA-xjch-jhgj-g9w2