Severity by source
AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Hiseeu C90 v5.7.15 is vulnerable to Insecure Permissions. The UART bootloader is accessible when battery is disconnected (hidden/debug mode).
AnalysisAI
Hiseeu C90 v5.7.15 exposes a UART bootloader in debug mode when the device battery is disconnected, allowing unauthenticated physical attackers with direct hardware access to achieve privilege escalation and potentially execute arbitrary code with full device control. This vulnerability requires physical tampering to trigger but bypasses all software-based security controls once activated.
Technical ContextAI
The Hiseeu C90 is an embedded IoT device that implements a UART (Universal Asynchronous Receiver-Transmitter) bootloader with debug functionality. The vulnerability exists in improper permission controls (CWE-276) on the bootloader interface - specifically, the debug/hidden mode becomes accessible when the device battery is disconnected, a state that should trigger secure boot lockdown but instead exposes an unauthenticated UART interface. This allows direct memory access and code execution at the bootloader privilege level, which runs with the highest system permissions. The condition involves hardware-level access to the UART pins or bus and knowledge of the boot sequence behavior when power state changes.
RemediationAI
The primary fix requires a firmware update from Hiseeu that disables or securely gates the UART bootloader debug interface when the battery is disconnected, ensuring the bootloader cannot be accessed without proper authentication regardless of power state. Check Hiseeu's official advisory at https://nvd.nist.gov/vuln/detail/CVE-2026-36742 for patched firmware versions and installation instructions. If a patch is not yet available, temporary mitigations include: physically securing the device to prevent unauthorized battery removal (e.g., tamper-evident seals, enclosure locks) with the understanding this does not eliminate the vulnerability; disabling physical UART access if the device design permits (consult device documentation); and restricting device deployment to controlled environments with access controls. These mitigations address the delivery step of the attack chain but do not remediate the underlying firmware flaw.
Same weakness CWE-276 – Incorrect Default Permissions
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30045
GHSA-cgmh-m268-gqfx