CVE-2026-36174: GNCC GP5 Plaintext Wireless Credentials Exposure via Serial Console
GNCC GP5 devices running version 7.1.76 transmit sensitive wireless network credentials in readable form to the serial console during normal operation. An attacker with physical access to the device's serial port can intercept these credentials, compromising network security. This is a localized but consequential exposure for organizations operating these devices in shared or less-controlled physical environments.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.6 MEDIUM · CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-256
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-07-05
NVD description (verbatim)
GNCC GP5 v7.1.76 was discovered to store sensitive wireless network information in plaintext during routine operations to the serial console. This issue allows physically-proximate attackers to obtain sensitive information, including network credentials, via monitoring the serial UART interface.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-36174 is a cleartext information exposure vulnerability affecting GNCC GP5 v7.1.76. The device outputs wireless network configuration and credentials to the serial UART interface without encryption or obfuscation during routine operations. An attacker positioned to monitor the serial port (via UART interface, serial dongle, or hardware tap) can passively capture plaintext credentials. The vulnerability is classified as CWE-256 (Cleartext Storage of Password), reflecting the fundamental design flaw of transmitting sensitive authentication material without protection. Attack surface is inherently limited to physically proximate actors, but the capture method is trivial—no special tools beyond basic serial monitoring are required.
Business impact
While physical proximity is required, unauthorized wireless network access via captured credentials can enable lateral movement, data exfiltration, or establishment of persistent presence within the organization's network. For deployments in co-location facilities, shared campuses, or environments where technicians or contractors have equipment access, this risk is material. The exposure of network credentials violates defense-in-depth principles and may trigger regulatory scrutiny around credential management and data protection controls.
Affected systems
GNCC GP5 version 7.1.76 is confirmed affected. Organizations should verify whether older or newer versions of GNCC GP5 exhibit the same behavior, and consult vendor documentation for the complete affected version range. Any system running v7.1.76 in a production network should be considered at risk.
Exploitability
Exploitability is straightforward from a technical standpoint—monitoring a serial interface requires minimal skill—but it is strictly gated by physical access. An attacker must be present at or near the device to connect to the serial port. This significantly limits the threat actor pool compared to remote vulnerabilities. However, for adversaries already on-site (facility access, supply chain compromise, insider threats), exploitation is trivial and detection is challenging. No authentication, special software, or complex interaction is needed once physical access is established.
Remediation
Upgrade GNCC GP5 to a patched version that does not output credentials to the serial console, or implements encryption/redaction of sensitive data. Until a patch is available, restrict physical access to the device and its serial interfaces using port locks, tamper seals, or segregation. Disable or restrict console access where operationally feasible. Monitor serial output for unauthorized connections. Verify all wireless network credentials after any suspected physical tampering and rotate credentials if compromise is suspected.
Patch guidance
Check the GNCC vendor advisory for availability and version numbers of patched releases. Organizations should test patches in a staging environment before production deployment, particularly given the physical-access nature of this issue—testing can confirm that the patch eliminates plaintext credential output to the serial console. Prioritize patching systems in higher-risk physical environments (co-location, shared facilities, or locations with elevated facility access).
Detection guidance
Implement physical controls: secure the serial port connection area, use port locks or cable locks on serial interfaces, and apply tamper-evident seals. Monitor device access logs if the device supports them. Audit wireless network credentials periodically to identify unauthorized changes or access. Conduct credential reviews following any facility incidents, equipment maintenance, or unauthorized physical access events. For environments permitting it, implement network segmentation to limit impact if wireless credentials are compromised.
Why prioritize this
Although the CVSS score reflects the low network exposure (4.6, MEDIUM), organizations with GNCC GP5 v7.1.76 deployed in shared or less-controlled physical environments should treat this as a priority for access control hardening and patching. The ease of exploitation given physical access, combined with the high-value nature of wireless credentials, justifies rapid remediation. This is not an emergency for secure data centers but warrants urgent attention for edge or co-location deployments.
Risk score, explained
CVSS 3.1 score of 4.6 (MEDIUM) reflects: Attack Vector Physical (restricting scope significantly), low Attack Complexity, no authentication required, no user interaction, and high Confidentiality impact balanced against no integrity or availability impact. The score appropriately captures that exploitation requires on-site presence but succeeds trivially once achieved. Organizations' actual risk depends heavily on the physical security posture of their GNCC GP5 deployments.
Frequently asked questions
Can this vulnerability be exploited remotely?
No. Exploitation requires physical proximity to the serial UART interface. Remote attackers cannot exploit this vulnerability. However, the barrier to entry for physically-present attackers is extremely low, so physical access controls are critical.
What wireless information is exposed?
The device outputs wireless network configuration and credentials in plaintext to the serial console. This typically includes SSIDs, authentication methods, and pre-shared keys or other authentication material.
Is this issue affecting all GNCC GP5 versions?
Only v7.1.76 has been confirmed affected. Consult the vendor advisory to confirm the full affected version range and determine if your deployment is at risk.
What should I do if I suspect my wireless credentials were compromised?
Rotate all wireless network credentials immediately. Audit network access logs for signs of unauthorized connection. Implement enhanced network segmentation and monitoring. If available, review device logs or physical access records to determine when the serial port may have been accessed.
This analysis is provided for informational purposes and does not constitute professional security advice. Organizations should independently verify affected versions, patch availability, and compatibility with their infrastructure before applying mitigations. Consult GNCC vendor documentation and security advisories for authoritative guidance. This page does not contain or recommend exploit code or weaponization techniques. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25396HIGHHeatmiser Wifi Thermostat Plaintext Credential Disclosure
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2018-25387MEDIUMHaPe PKH 1.1 Cross-Site Request Forgery (CSRF) Admin Password Reset
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)
- CVE-2018-25397MEDIUMCSRF Vulnerability in PHP-SHOP 1.0 – Admin Account Injection
- CVE-2018-25421MEDIUMOpen STA Manager 2.3 Path Traversal File Download Vulnerability
- CVE-2018-25423MEDIUMBuffer Overflow Denial of Service in Arm Whois 3.11
- CVE-2018-25435MEDIUMZeusCart 4.0 CSRF Vulnerability – Account Deactivation Risk