MEDIUM 4.6

CVE-2026-36178: GNCC GP5 Factory Reset Leaves Cryptographic Keys Uncleared

A flaw in the factory reset process of GNCC GP5 v7.1.76 leaves sensitive cryptographic keys and related data intact on the device's storage partition even after a factory reset is performed. An attacker with physical access to the device could potentially recover this material and use it to decrypt or impersonate the original user's configuration and encrypted content.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.6 MEDIUM · CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-212
Affected products
0 configuration(s)
Published / Modified
2026-06-04 / 2026-07-05

NVD description (verbatim)

The factory reset functionality in GNCC GP5 v7.1.76 fails to clear sensitive cryptographic material in the JFFS2 configuration partition, possibly allowing attackers to recover and obtain sensitive user data.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-36178 is a sensitive data exposure vulnerability affecting the factory reset implementation in GNCC GP5 v7.1.76. The vulnerability stems from incomplete sanitization of cryptographic material stored in the JFFS2 configuration partition during factory reset operations. The flaw is classified under CWE-212 (Improper Removal of Sensitive Information Before Storage or Transfer). The CVSS v3.1 score of 4.6 (MEDIUM severity) reflects that exploitation requires physical access to the device (AV:P), but results in high confidentiality impact once access is obtained (C:H).

Business impact

Organizations deploying GNCC GP5 devices must consider the risk of data exposure during device decommissioning or repurposing workflows. If devices are sold, donated, or transferred without secure wiping procedures, recovered cryptographic material could compromise past communications, stored credentials, or sensitive configurations. This is particularly concerning in environments where devices rotate through multiple owners or are refurbished for resale. Regulatory compliance frameworks (such as those governing data protection or secure disposal) may require additional compensating controls to mitigate this gap.

Affected systems

GNCC GP5 version 7.1.76 is confirmed affected. Organizations using this model should verify their deployed firmware versions against vendor advisories and upgrade plans. Versions prior to and after 7.1.76 require vendor confirmation; check the GNCC security advisories for patch availability and version scope.

Exploitability

Exploitation requires physical access to the affected device and technical capability to recover data from the JFFS2 partition—typically via device disassembly or direct storage interface access. This is not a remotely exploitable vulnerability and does not require authentication or user interaction. The attack scenario is most relevant in supply chain, refurbishment, or end-of-life device handling contexts rather than in-field compromise.

Remediation

Apply the vendor patch or firmware update when available from GNCC. Verify the patched version addresses complete cryptographic material erasure during factory reset. Until patched, implement administrative controls: enforce secure device disposal procedures (e.g., physical destruction, verified secure wiping via vendor tools), and track device custody during decommissioning. For devices in the field, prioritize patching systems in environments where device reassignment or refurbishment is planned.

Patch guidance

Contact GNCC for patch availability for GP5 v7.1.76 and confirmation of affected version range. Vendor advisories should specify the patched firmware version and any interim mitigations (e.g., manual secure wipe procedures prior to factory reset). Test patches in a non-production environment before broad deployment. Once available, prioritize patching devices scheduled for refurbishment, resale, or decommissioning.

Detection guidance

Forensic indicators are limited to post-breach recovery scenarios. Organization-level detection focuses on process controls: audit device disposal workflows to ensure patches are applied before factory reset, verify that devices are logged as reset in inventory systems, and implement chain-of-custody logging for refurbished or transferred devices. If breach of refurbished devices is suspected, engage forensic specialists to assess whether recovered cryptographic material correlates to known compromises.

Why prioritize this

Although CVSS 4.6 (MEDIUM) may suggest lower urgency, prioritization depends on your environment: devices regularly subject to refurbishment, resale, or decommissioning warrant expedited patching. Conversely, devices in controlled corporate environments with fixed ownership may be patched on standard timelines. The vulnerability has not been added to CISA's KEV catalog, so no active exploitation pressure is currently documented.

Risk score, explained

The CVSS v3.1 score of 4.6 reflects the physical access requirement (AV:P), low attack complexity (AC:L), no privileges or user interaction needed (PR:N/UI:N), and high confidentiality impact (C:H). Integrity and availability are not affected. Contextually, the score appropriately weights a data exposure risk that is straightforward to execute for an attacker with physical access but less critical for organizations without device refurbishment or high-mobility scenarios.

Frequently asked questions

Can this vulnerability be exploited remotely?

No. CVE-2026-36178 requires physical access to the device and its storage components. It poses no direct remote attack surface.

What should we do if we have already factory-reset GP5 devices and sold or transferred them?

If devices were reset without cryptographic material being securely erased, recovered keys could theoretically compromise past configurations. Advise recipients of their potential exposure if the devices were repurposed, and prioritize patching any remaining units in your inventory. Consider contacting GNCC for guidance on forensic recovery and incident response if breach is suspected.

Does this affect cloud or remote management features?

The vulnerability is local to device storage and does not directly impact cloud synchronization or remote management protocols. However, if a recovered key is used to decrypt a backup or configuration stored elsewhere, downstream compromise is possible. Ensure that factory reset also revokes any cloud authentication tokens or remote management credentials.

Is there a workaround if we cannot patch immediately?

Pending patch availability, implement compensating controls: perform manual secure wipe (e.g., using vendor-supplied secure erase tools) before factory reset, physically destroy devices scheduled for disposal, and maintain strict device custody documentation. Verify with GNCC whether their secure wipe tools address this specific flaw.

This analysis is provided for informational purposes to support vulnerability management and risk assessment. SEC.co does not host or distribute patches; verify all patch availability and version information directly with GNCC security advisories. CVSS scores, affected versions, and KEV status reflect the ground-truth data as of the publication date and may be updated by NVD or vendors. Organizations must validate applicability to their specific deployments and configurations. No warranty is provided regarding completeness or accuracy beyond the source data cited. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).