{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27842", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "state": "PUBLISHED", "assignerShortName": "jpcert", "dateReserved": "2026-03-10T01:23:00.998Z", "datePublished": "2026-03-11T05:25:34.834Z", "dateUpdated": "2026-03-11T15:39:46.393Z"}, "containers": {"cna": {"affected": [{"vendor": "Micro Research Ltd.", "product": "MR-GM5L-S1", "versions": [{"version": "firmware versions prior to v2.01.04N1_02", "status": "affected"}]}, {"vendor": "Micro Research Ltd.", "product": "MR-GM5A-L1", "versions": [{"version": "firmware versions prior to v2.01.04N1_02", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "Authentication bypass issue exists in MR-GM5L-S1 and MR-GM5A-L1, which may allow an attacker to bypass authentication and change the device configuration."}], "problemTypes": [{"descriptions": [{"description": "Authentication Bypass Using an Alternate Path or Channel", "lang": "en-US", "cweId": "CWE-288", "type": "CWE"}]}], "references": [{"url": "https://www.mrl.co.jp/download/security/JVNVU98103854.pdf"}, {"url": "https://jvn.jp/en/vu/JVNVU98103854/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_0": {"version": "3.0", "baseSeverity": "CRITICAL", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}, {"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV4_0": {"version": "4.0", "baseSeverity": "CRITICAL", "baseScore": 9.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-03-11T05:25:34.834Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27842", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-11T15:37:16.992716Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T15:39:46.393Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27842", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-11T15:37:16.992716Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T15:39:23.113Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 9.3, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Micro Research Ltd.", "product": "MR-GM5L-S1", "versions": [{"status": "affected", "version": "firmware versions prior to v2.01.04N1_02"}]}, {"vendor": "Micro Research Ltd.", "product": "MR-GM5A-L1", "versions": [{"status": "affected", "version": "firmware versions prior to v2.01.04N1_02"}]}], "references": [{"url": "https://www.mrl.co.jp/download/security/JVNVU98103854.pdf"}, {"url": "https://jvn.jp/en/vu/JVNVU98103854/"}], "descriptions": [{"lang": "en", "value": "Authentication bypass issue exists in MR-GM5L-S1 and MR-GM5A-L1, which may allow an attacker to bypass authentication and change the device configuration."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-288", "description": "Authentication Bypass Using an Alternate Path or Channel"}]}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-03-11T05:25:34.834Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27842", "state": "PUBLISHED", "dateUpdated": "2026-03-11T15:39:46.393Z", "dateReserved": "2026-03-10T01:23:00.998Z", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "datePublished": "2026-03-11T05:25:34.834Z", "assignerShortName": "jpcert"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Authentication bypass issue exists in MR-GM5L-S1 and MR-GM5A-L1, which may allow an attacker to bypass authentication and change the device configuration."}, {"lang": "es", "value": "Existe un problema de omisi\u00f3n de autenticaci\u00f3n en MR-GM5L-S1 y MR-GM5A-L1, lo que podr\u00eda permitir a un atacante omitir la autenticaci\u00f3n y cambiar la configuraci\u00f3n del dispositivo."}], "id": "CVE-2026-27842", "lastModified": "2026-04-30T16:18:02.367", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "vultures@jpcert.or.jp", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "vultures@jpcert.or.jp", "type": "Secondary"}]}, "published": "2026-03-11T06:17:13.867", "references": [{"source": "vultures@jpcert.or.jp", "url": "https://jvn.jp/en/vu/JVNVU98103854/"}, {"source": "vultures@jpcert.or.jp", "url": "https://www.mrl.co.jp/download/security/JVNVU98103854.pdf"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-288"}], "source": "vultures@jpcert.or.jp", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,v2.01.04N1_02)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "MR-GM5A-L1", "source": "cna", "vendor": "Micro Research Ltd."}, "product": "mr-gm5a-l1", "vendor": "micro_research"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,v2.01.04N1_02)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "MR-GM5L-S1", "source": "cna", "vendor": "Micro Research Ltd."}, "product": "mr-gm5l-s1", "vendor": "micro_research"}], "analysis": {"en": {"generated_at": "2026-03-17T17:11:08.546546+00:00", "value": {"mitigation_remediation": ["Apply the latest firmware update for MR\u2011GM5L\u2011S1 and MR\u2011GM5A\u2011L1 from the Micro Research Ltd. website", "If a firmware update is not yet available, isolate the device from critical network segments and restrict management access to trusted hosts", "Monitor device logs for unauthorized configuration changes"], "summary": {"action": "Patch immediately", "impact": "Authentication bypass, configuration compromise"}, "threat_synthesis": {"affected_systems": "The affected systems are the Micro Research Ltd. MR\u2011GM5L\u2011S1 and MR\u2011GM5A\u2011L1 models. No specific firmware or patch version information was provided, so any installed firmware on these models should be considered vulnerable until a vendor update is applied.", "description_and_impact": "Authentication bypass issue exists in Micro Research Ltd. devices MR-GM5L-S1 and MR-GM5A-L1, allowing an attacker to access and modify device configuration settings without proper authentication. The identified weakness is CWE-288, which indicates improper enforcement of authentication controls. An exploited vulnerability would give attackers the ability to change configuration parameters, potentially altering device behavior or connectivity.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 9.3, indicating critical severity, while the EPSS score is reported as less than 1%, suggesting a low current exploitation probability. This issue is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector is remote through the device\u2019s management interface; local access may also enable exploitation, but the required conditions are minimal, contributing to a high risk level."}}}}, "created": "2026-03-11T11:37:55.089881+00:00", "title": "Authentication Bypass in Micro Research MR\u2011GM5 Devices Allowing Unauthorized Configuration Changes", "updated": "2026-03-20T14:37:52.843599+00:00", "vendors": ["micro_research", "micro_research$PRODUCT$mr-gm5a-l1", "micro_research$PRODUCT$mr-gm5l-s1"]}