CVE-2026-36176: GNCC GP5 Plaintext B2 Credentials Leak via Serial Console
GNCC GP5 version 7.1.76 leaks Backblaze B2 cloud storage upload credentials to the device's serial console in plaintext. An attacker with physical access to the hardware can monitor the UART interface and capture active, pre-signed upload URLs intended for file transfers. Once captured, these URLs can be used to upload or manipulate files in the connected B2 storage bucket without authorization. The vulnerability requires proximity to the device but poses significant risk to organizations using this gateway in sensitive environments.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.1 HIGH · CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
- Weaknesses (CWE)
- CWE-312
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-07-05
NVD description (verbatim)
GNCC GP5 v7.1.76 was discovered to store pre-signed Backblaze B2 upload URLs (PUT requests) in plaintext to the serial console. This allows physically-proximate attackers to extract these active tokens to perform unauthorized operations via monitoring the serial UART interface.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-36176 involves improper credential handling in GNCC GP5 v7.1.76. The device outputs pre-signed Backblaze B2 PUT request URLs directly to the serial console without redaction or encryption. These URLs are persistent tokens that grant direct write access to cloud storage. An attacker capable of connecting to the serial UART interface—either via exposed debug ports, internal physical access, or compromised device disassembly—can passively capture these credentials by monitoring console output. The tokens remain valid for the duration of their signed lifetime, providing a window for unauthorized cloud operations. The vulnerability is classified under CWE-312 (Cleartext Storage of Sensitive Information).
Business impact
Compromise of Backblaze B2 credentials enables unauthorized file uploads, data modification, or deletion within the connected storage bucket. This can lead to data integrity violations, compliance failures (especially for regulated industries requiring tamper-evident storage), supply chain contamination if the gateway is used for software distribution, and potential lateral movement if B2 account permissions are overly broad. Organizations relying on this gateway for backup, archival, or integration workflows face disruption and forensic complexity.
Affected systems
GNCC GP5 version 7.1.76 is affected. Verify with the vendor whether earlier versions contain the same flaw and whether patches for later versions are available. Environments where this device is physically accessible to untrusted personnel or located in shared infrastructure are at highest risk.
Exploitability
Exploitability requires physical proximity to the device and the ability to interface with its serial UART port. This is not a remote vulnerability. However, the bar for exploitation is low once access is gained: an attacker need only observe console output passively without authentication. The vulnerability is not currently tracked in CISA's Known Exploited Vulnerabilities (KEV) catalog. Threat actors targeting organizations with poor physical security controls or insider threats may find this vector attractive.
Remediation
Upgrade GNCC GP5 to a patched version that redacts or encrypts credential output to the serial console. If a patch is unavailable, implement strict physical access controls to the device and its debug ports, disable or restrict serial console access to authorized personnel only, and monitor B2 bucket access logs for anomalous uploads. Consider rotating B2 API credentials and implementing bucket-level access policies with IP restrictions or temporary SAS tokens instead of long-lived pre-signed URLs.
Patch guidance
Check the GNCC vendor advisory for version 7.1.76 to identify available patches and upgrade timelines. Prioritize patching in production environments where the gateway handles sensitive data. Test patches in a staging environment first to ensure no disruption to B2 integration workflows. Verify post-patch that credential material is no longer exposed to the serial console.
Detection guidance
Monitor physical access to GNCC GP5 devices via environmental controls or badge logs. Implement serial console logging where feasible and review logs for unauthorized access attempts. Monitor Backblaze B2 bucket access logs for unexpected PUT requests, especially those originating from unfamiliar IP addresses or at unusual times. Alert on any credential rotation events or API key creation outside of change control procedures.
Why prioritize this
Although exploitability is restricted to physical proximity, the impact is high: active cloud storage credentials with direct write access. Organizations in high-security facilities or with strong physical security may deprioritize this; however, enterprises in open or shared spaces, particularly those handling critical data, should prioritize remediation. The CVSS 7.1 (HIGH) score reflects the combination of confidentiality and integrity impact balanced against the access vector constraint.
Risk score, explained
The CVSS 3.1 score of 7.1 (HIGH) is derived from: Attack Vector (Physical) and Access Complexity (Low) reflecting ease of exploitation once proximity is achieved; Privileges Required (Low) meaning some baseline device access is needed; Confidentiality and Integrity impacts (both High) reflecting the ability to read and abuse cloud storage credentials; and Availability (None) as the vulnerability does not directly disrupt service. The score appropriately elevates physical attacks when the impact is substantial.
Frequently asked questions
Can this vulnerability be exploited remotely?
No. CVE-2026-36176 requires physical access to the GNCC GP5 device's serial UART interface. An attacker must be present near the hardware or have compromised the supply chain to install a serial tap. It is not exploitable over the network.
What versions of GNCC GP5 are vulnerable?
Version 7.1.76 is confirmed affected. Consult the vendor advisory to determine if earlier versions are also vulnerable and whether patches exist for version 7.1.76 or later releases.
If an attacker captures a pre-signed B2 URL, how long can they use it?
Pre-signed URLs have an expiration time set by the B2 API, typically ranging from minutes to hours depending on configuration. However, if the URL is long-lived or if the attacker captures it shortly after generation, they have a substantial window to exploit it. Rotating B2 credentials and using short-lived tokens reduces exposure.
How can we monitor if someone has accessed our B2 bucket using a leaked URL?
Backblaze B2 logs all PUT requests, including those via pre-signed URLs. Monitor your B2 bucket access logs for unexpected uploads, check request metadata for IP addresses and user agents that don't match your infrastructure, and set up alerts for credential rotation events or API key creation.
This analysis is based on the vulnerability record as of the publication and modification dates. Vendor advisory details, patch availability, and version numbers should be verified directly with GNCC and Backblaze. Physical security controls and cloud logging capabilities vary by deployment; consult your infrastructure team and cloud provider documentation. This is informational content and not a substitute for professional security assessment or incident response. No exploit code or weaponized proof-of-concept is provided. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25383HIGHFree MP3 CD Ripper 2.8 Stack Overflow – ROP and DEP Bypass Risk
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25388HIGHHaPe PKH 1.1 Arbitrary File Upload Vulnerability (CVSS 8.8)
- CVE-2018-25389HIGHSQL Injection in HaPe PKH 1.1 Database Extraction
- CVE-2018-25390HIGHUnauthenticated SQL Injection in HaPe PKH 1.1
- CVE-2018-25391HIGHHaPe PKH 1.1 Authorization Bypass – Unauthorized Record Deletion Vulnerability