{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24448", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "state": "PUBLISHED", "assignerShortName": "jpcert", "dateReserved": "2026-03-10T01:22:57.438Z", "datePublished": "2026-03-11T05:25:25.618Z", "dateUpdated": "2026-03-11T15:39:46.530Z"}, "containers": {"cna": {"affected": [{"vendor": "Micro Research Ltd.", "product": "MR-GM5L-S1", "versions": [{"version": "firmware versions prior to v2.01.04N1_02", "status": "affected"}]}, {"vendor": "Micro Research Ltd.", "product": "MR-GM5A-L1", "versions": [{"version": "firmware versions prior to v2.01.04N1_02", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "Use of hard-coded credentials issue exists in MR-GM5L-S1 and MR-GM5A-L1, which may allow an attacker to obtain administrative access."}], "problemTypes": [{"descriptions": [{"description": "Use of hard-coded credentials", "lang": "en-US", "cweId": "CWE-798", "type": "CWE"}]}], "references": [{"url": "https://www.mrl.co.jp/download/security/JVNVU98103854.pdf"}, {"url": "https://jvn.jp/en/vu/JVNVU98103854/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_0": {"version": "3.0", "baseSeverity": "CRITICAL", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}, {"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV4_0": {"version": "4.0", "baseSeverity": "CRITICAL", "baseScore": 9.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-03-11T05:25:25.618Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24448", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-11T15:37:24.361566Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T15:39:46.530Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24448", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-11T15:37:24.361566Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T15:39:25.458Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 9.3, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Micro Research Ltd.", "product": "MR-GM5L-S1", "versions": [{"status": "affected", "version": "firmware versions prior to v2.01.04N1_02"}]}, {"vendor": "Micro Research Ltd.", "product": "MR-GM5A-L1", "versions": [{"status": "affected", "version": "firmware versions prior to v2.01.04N1_02"}]}], "references": [{"url": "https://www.mrl.co.jp/download/security/JVNVU98103854.pdf"}, {"url": "https://jvn.jp/en/vu/JVNVU98103854/"}], "descriptions": [{"lang": "en", "value": "Use of hard-coded credentials issue exists in MR-GM5L-S1 and MR-GM5A-L1, which may allow an attacker to obtain administrative access."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-798", "description": "Use of hard-coded credentials"}]}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-03-11T05:25:25.618Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24448", "state": "PUBLISHED", "dateUpdated": "2026-03-11T15:39:46.530Z", "dateReserved": "2026-03-10T01:22:57.438Z", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "datePublished": "2026-03-11T05:25:25.618Z", "assignerShortName": "jpcert"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Use of hard-coded credentials issue exists in MR-GM5L-S1 and MR-GM5A-L1, which may allow an attacker to obtain administrative access."}, {"lang": "es", "value": "Problema de uso de credenciales codificadas existe en MR-GM5L-S1 y MR-GM5A-L1, lo que podr\u00eda permitir a un atacante obtener acceso administrativo."}], "id": "CVE-2026-24448", "lastModified": "2026-04-30T16:18:02.367", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "vultures@jpcert.or.jp", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "vultures@jpcert.or.jp", "type": "Secondary"}]}, "published": "2026-03-11T06:17:13.697", "references": [{"source": "vultures@jpcert.or.jp", "url": "https://jvn.jp/en/vu/JVNVU98103854/"}, {"source": "vultures@jpcert.or.jp", "url": "https://www.mrl.co.jp/download/security/JVNVU98103854.pdf"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "vultures@jpcert.or.jp", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,v2.01.04N1_02)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "MR-GM5A-L1", "source": "cna", "vendor": "Micro Research Ltd."}, "product": "mr-gm5a-l1", "vendor": "micro_research"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,v2.01.04N1_02)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "MR-GM5L-S1", "source": "cna", "vendor": "Micro Research Ltd."}, "product": "mr-gm5l-s1", "vendor": "micro_research"}], "analysis": {"en": {"generated_at": "2026-03-17T15:13:36.938745+00:00", "value": {"mitigation_remediation": ["Check Micro Research Ltd. website for firmware updates or patches that remove hard\u2011coded credentials.", "If no patch is available, isolate the devices from untrusted networks or disable external management access.", "Change any default administrator credentials to strong, unique passwords.", "Apply network segmentation and firewall rules to restrict access to the device management interfaces."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Administrative Access"}, "threat_synthesis": {"affected_systems": "Vendor: Micro Research Ltd. Products: MR\u2011GM5L\u2011S1 and MR\u2011GM5A\u2011L1. Specific affected firmware versions are not listed in the CVE record, so all firmware variants of these models should be considered vulnerable until the vendor publishes a fix.", "description_and_impact": "The vulnerability is a hard\u2011coded credentials flaw in the MR\u2011GM5L\u2011S1 and MR\u2011GM5A\u2011L1 devices, catalogued as CWE-798. It enables an attacker who can reach the device\u2019s management interface to log in with predetermined credentials and gain full administrative control, potentially allowing configuration changes, data exfiltration, or deployment of malicious firmware.", "risk_and_exploitability": "The CVSS score of 9.3 indicates critical severity, while the EPSS score of less than 1% suggests low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation is possible over the network due to the presence of hard\u2011coded credentials; no additional authentication is required beyond accessing the device\u2019s administrative interface."}}}}, "created": "2026-03-11T11:37:55.959879+00:00", "title": "Hard\u2011Coded Credentials Grant Administrative Access on MR\u2011GM5L\u2011S1 and MR\u2011GM5A\u2011L1 Devices", "updated": "2026-03-20T14:37:53.772375+00:00", "vendors": ["micro_research", "micro_research$PRODUCT$mr-gm5a-l1", "micro_research$PRODUCT$mr-gm5l-s1"]}