[Japanese]

JVNDB-2026-006887

Multiple vulnerabilities in Micro Research MR-GM5L-S1 and MR-GM5A-L1

Overview

MR-GM5L-S1 and MR-GM5A-L1 provided by Micro Research Ltd. contain multiple vulnerabilities listed below.
  • Code injection (CWE-94) - CVE-2026-20892
  • Use of hard-coded credentials (CWE-798) - CVE-2026-24448
  • Authentication bypass using an alternate path or channel (CWE-288) - CVE-2026-27842
Chuya Hayakawa of 00One, Inc. reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.2 (High) [Other]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2026-20892

CVSS v3 Severity
Base Metrics:9.8 (Critical) [Other]
  • Access Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact(C): High
  • Integrity Impact(I): High
  • Availability Impact(A): High
The above CVSS base scores have been assigned for CVE-2026-24448

CVSS v3 Severity
Base Metrics:9.8 (Critical) [Other]
  • Access Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact(C): High
  • Integrity Impact(I): High
  • Availability Impact(A): High
The above CVSS base scores have been assigned for CVE-2026-27842
Affected Products


Micro Research Ltd.
  • MR-GM5A-L1 firmware versions prior to v2.01.04N1_02
  • MR-GM5L-S1 firmware versions prior to v2.01.04N1_02

Impact

  • An attacker with administrative privileges may execute arbitrary commands (CVE-2026-20892)
  • An attacker may obtain administrative access (CVE-2026-24448)
  • An attacker may bypass authentication and change the device configuration (CVE-2026-27842)
Solution

[Update the firmware]
Update the firmware to the latest version according to the information provided by the developer.
Vendor Information

Micro Research Ltd.
CWE (What is CWE?)

  1. Authentication Bypass Using an Alternate Path or Channel(CWE-288) [Other]
  2. Use of Hard-coded Credentials(CWE-798) [Other]
  3. Code Injection(CWE-94) [Other]
CVE (What is CVE?)

  1. CVE-2026-20892
  2. CVE-2026-24448
  3. CVE-2026-27842
References

  1. JVN : JVNVU#98103854
Revision History

  • [2026/03/12]
      Web page was published

Date Public2026/03/11
Date First Published2026/03/12
Date Last Updated2026/03/12