Skip to main content

Hiseeu C90 CVE-2026-36742

| EUVDEUVD-2026-30045 MEDIUM
Incorrect Default Permissions (CWE-276)
2026-05-13 cve@mitre.org GHSA-cgmh-m268-gqfx
6.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.8 MEDIUM
AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 14, 2026 - 13:23 vuln.today
CVSS changed
May 14, 2026 - 13:22 NVD
6.8 (MEDIUM)
CVE Published
May 13, 2026 - 16:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 13, 2026 - 16:16 nvd
MEDIUM 6.8

DescriptionCVE.org

Hiseeu C90 v5.7.15 is vulnerable to Insecure Permissions. The UART bootloader is accessible when battery is disconnected (hidden/debug mode).

AnalysisAI

Hiseeu C90 v5.7.15 exposes a UART bootloader in debug mode when the device battery is disconnected, allowing unauthenticated physical attackers with direct hardware access to achieve privilege escalation and potentially execute arbitrary code with full device control. This vulnerability requires physical tampering to trigger but bypasses all software-based security controls once activated.

Technical ContextAI

The Hiseeu C90 is an embedded IoT device that implements a UART (Universal Asynchronous Receiver-Transmitter) bootloader with debug functionality. The vulnerability exists in improper permission controls (CWE-276) on the bootloader interface - specifically, the debug/hidden mode becomes accessible when the device battery is disconnected, a state that should trigger secure boot lockdown but instead exposes an unauthenticated UART interface. This allows direct memory access and code execution at the bootloader privilege level, which runs with the highest system permissions. The condition involves hardware-level access to the UART pins or bus and knowledge of the boot sequence behavior when power state changes.

RemediationAI

The primary fix requires a firmware update from Hiseeu that disables or securely gates the UART bootloader debug interface when the battery is disconnected, ensuring the bootloader cannot be accessed without proper authentication regardless of power state. Check Hiseeu's official advisory at https://nvd.nist.gov/vuln/detail/CVE-2026-36742 for patched firmware versions and installation instructions. If a patch is not yet available, temporary mitigations include: physically securing the device to prevent unauthorized battery removal (e.g., tamper-evident seals, enclosure locks) with the understanding this does not eliminate the vulnerability; disabling physical UART access if the device design permits (consult device documentation); and restricting device deployment to controlled environments with access controls. These mitigations address the delivery step of the attack chain but do not remediate the underlying firmware flaw.

Share

CVE-2026-36742 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy