Critical Vulnerability Information Vulnerability Details Affected Device: Five new CVEs discovered in CIRCUTOR's TCPRS1+ device. Research Context: The device features physical media conversion, Wi-Fi communication, an integrated web server, and the MyConfig application for automation. Specific Model: TCPRS1+ Firmware Version: 1.0.14 --- Vulnerability List --- Key Vulnerabilities to Focus On CVE-2025-64389 - Sensitive Information Exchanged in Plaintext Description: The device exchanges sensitive information in plaintext during communication operations. Risk Explanation: Using insecure communication protocols (e.g., HTTP), attackers can intercept user credentials, system versions, and other sensitive data. Mitigation Recommendations: - Encrypt data in transit. - Use secure protocols such as HTTPS. CVE-2025-64387 - Clickjacking Description: The device does not protect against clickjacking attacks (CWE-1021). Risk Explanation: Attackers can overlay malicious websites to trick users into performing unintended actions. Mitigation Recommendations: - Implement Content Security Policy (CSP). - Configure authentication cookies with SameSite=Strict.