Waveshare RS232/485 To WiFi ETH (B) Gateway Administrator Password Exposure Vulnerability

A vulnerability exists in the Waveshare RS232/485 to WiFi ETH (B) Serial-to-Ethernet/Wi-Fi Gateway, specifically in Firmware Version V3.1.1.0, Hardware Version 4.3.2.1, and Webpage Version V7.04T.07.002880.0301. The vulnerability allows the administrator password to be displayed in plaintext within the web management interface. This issue arises from inadequate user interface design, which embeds sensitive information in HTML responses without proper protection.

Impact

Exposing the administrator password in plaintext creates a risk of unauthorized access and control over the device. This vulnerability allows any authenticated user, even those with limited privileges, to extract the password. An attacker could use the obtained credentials to gain full administrative rights, enabling them to reconfigure network settings, serial routing logic, Telnet access, or Wi-Fi SSID options. In industrial or IoT environments, such actions could disrupt operations, intercept data, or facilitate unauthorized access to connected systems.

Reproduction

To reproduce this vulnerability, log into the device's web management interface. Navigate to the section where the administrator password is displayed. The password will be visible in plaintext due to the input field being improperly set as 'text' instead of 'password', and because the web server response includes the password unencrypted in the HTML.

Remediation

Waveshare should update the web interface to use password fields that mask sensitive information, remove plaintext passwords from HTML responses, implement secure storage for credentials, and add support for HTTPS to protect sensitive data during transmission.