{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-20892", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "state": "PUBLISHED", "assignerShortName": "jpcert", "dateReserved": "2026-03-10T01:23:02.687Z", "datePublished": "2026-03-11T05:25:15.694Z", "dateUpdated": "2026-03-11T15:39:46.667Z"}, "containers": {"cna": {"affected": [{"vendor": "Micro Research Ltd.", "product": "MR-GM5L-S1", "versions": [{"version": "firmware versions prior to v2.01.04N1_02", "status": "affected"}]}, {"vendor": "Micro Research Ltd.", "product": "MR-GM5A-L1", "versions": [{"version": "firmware versions prior to v2.01.04N1_02", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "Code injection vulnerability exists in MR-GM5L-S1 and MR-GM5A-L1, which may allow an attacker with administrative privileges to execute arbitrary commands."}], "problemTypes": [{"descriptions": [{"description": "Code injection", "lang": "en-US", "cweId": "CWE-94", "type": "CWE"}]}], "references": [{"url": "https://www.mrl.co.jp/download/security/JVNVU98103854.pdf"}, {"url": "https://jvn.jp/en/vu/JVNVU98103854/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_0": {"version": "3.0", "baseSeverity": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}}, {"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV4_0": {"version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.6, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-03-11T05:25:15.694Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-20892", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-11T15:37:30.516008Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T15:39:46.667Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-20892", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-11T15:37:30.516008Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T15:39:27.454Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 8.6, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Micro Research Ltd.", "product": "MR-GM5L-S1", "versions": [{"status": "affected", "version": "firmware versions prior to v2.01.04N1_02"}]}, {"vendor": "Micro Research Ltd.", "product": "MR-GM5A-L1", "versions": [{"status": "affected", "version": "firmware versions prior to v2.01.04N1_02"}]}], "references": [{"url": "https://www.mrl.co.jp/download/security/JVNVU98103854.pdf"}, {"url": "https://jvn.jp/en/vu/JVNVU98103854/"}], "descriptions": [{"lang": "en", "value": "Code injection vulnerability exists in MR-GM5L-S1 and MR-GM5A-L1, which may allow an attacker with administrative privileges to execute arbitrary commands."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-94", "description": "Code injection"}]}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-03-11T05:25:15.694Z"}}}, "cveMetadata": {"cveId": "CVE-2026-20892", "state": "PUBLISHED", "dateUpdated": "2026-03-11T15:39:46.667Z", "dateReserved": "2026-03-10T01:23:02.687Z", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "datePublished": "2026-03-11T05:25:15.694Z", "assignerShortName": "jpcert"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Code injection vulnerability exists in MR-GM5L-S1 and MR-GM5A-L1, which may allow an attacker with administrative privileges to execute arbitrary commands."}, {"lang": "es", "value": "Vulnerabilidad de inyecci\u00f3n de c\u00f3digo existe en MR-GM5L-S1 y MR-GM5A-L1, lo que podr\u00eda permitir a un atacante con privilegios administrativos ejecutar comandos arbitrarios."}], "id": "CVE-2026-20892", "lastModified": "2026-04-30T16:18:02.367", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "vultures@jpcert.or.jp", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "vultures@jpcert.or.jp", "type": "Secondary"}]}, "published": "2026-03-11T06:17:13.510", "references": [{"source": "vultures@jpcert.or.jp", "url": "https://jvn.jp/en/vu/JVNVU98103854/"}, {"source": "vultures@jpcert.or.jp", "url": "https://www.mrl.co.jp/download/security/JVNVU98103854.pdf"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "vultures@jpcert.or.jp", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,v2.01.04N1_02)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "MR-GM5A-L1", "source": "cna", "vendor": "Micro Research Ltd."}, "product": "mr-gm5a-l1", "vendor": "micro_research"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,v2.01.04N1_02)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "MR-GM5L-S1", "source": "cna", "vendor": "Micro Research Ltd."}, "product": "mr-gm5l-s1", "vendor": "micro_research"}], "analysis": {"en": {"generated_at": "2026-03-17T16:04:30.223167+00:00", "value": {"mitigation_remediation": ["Apply the vendor-provided patch or firmware update as soon as it becomes available.", "Restrict administrative privileges to only essential personnel and enforce least\u2011privilege principles.", "Monitor system logs for abnormal command execution or injection\u2011related activity.", "Check the vendor\u2019s website or support channels regularly for updates or advisories on this vulnerability."], "summary": {"action": "Immediate Patch", "impact": "Remote Command Execution"}, "threat_synthesis": {"affected_systems": "Micro Research Ltd. products MR\u2011GM5L\u2011S1 and MR\u2011GM5A\u2011L1 are affected. No specific firmware or software version information is provided; administrators should assume that all current releases of these models may be vulnerable until a patch is released.", "description_and_impact": "The vulnerability is a code injection flaw (CWE-94) that allows an attacker with administrative privileges on a Micro Research Ltd. MR\u2011GM5L\u2011S1 or MR\u2011GM5A\u2011L1 device to execute arbitrary commands. This flaw can lead to a complete compromise of the affected system, as any command can be run with the privileges of the service or configuration in which the injection is possible, threatening both integrity and availability.", "risk_and_exploitability": "The CVSS score of 8.6 indicates high severity. EPSS shows an exploitation likelihood of less than 1%, indicating a low probability of automated attacks, but the impact would be severe if exploited. The vulnerability is not listed in the CISA KEV catalog, suggesting no publicly documented exploits yet. Attack exploitation requires local administrative access, implying an insider or compromised account scenario; thus the risk is significant for organizations that provide or share administrative credentials."}}}}, "created": "2026-03-11T11:37:56.866359+00:00", "title": "Code injection in Micro Research MR\u2011GM5L\u2011S1 and MR\u2011GM5A\u2011L1 allowing command execution", "updated": "2026-03-20T14:37:54.732898+00:00", "vendors": ["micro_research", "micro_research$PRODUCT$mr-gm5a-l1", "micro_research$PRODUCT$mr-gm5l-s1"]}