OTPulse Weekly Briefing - May 4, 2026

Moxa published a security advisory on April 27 covering two CVEs across six product families: TN-4900 Series, EDR-8010 Series, EDR-G9010 Series, OnCell G4302-LTE4 Series, OnCell G4308-LTE4 Series, and EDF-G1002-BP Series. These are industrial routers and cellular gateways - the devices that connect a remote pump station or substation to the SCADA historian over LTE. CVE-2026-3868 is an unauthenticated remote DoS on the HTTPS management interface (CVSS 8.7). CVE-2026-3867 is a low-privilege password hash exposure via exported config files. Firmware v3.24 fixes the issue for most affected families. OnCell users specifically need to contact Moxa Technical Support to request v3.24.1 - it is not available through the standard firmware download path.

The patch is good news, but it does not eliminate the full risk picture. Most teams that manage remote Moxa routers have exported configuration files at some point, usually as part of a maintenance or backup workflow. Those files contain the admin password hash. If a low-privilege user has accessed a backup file before this patch, the hash is already exposed and patching does not undo that. The remediation section below covers what to do about existing backup files.

This is also the third edge-device advisory in three weeks. Two weeks ago: ArcaneDoor FXOS persistence on Cisco firewall hardware, state-sponsored, survives the application-layer patches. Last week: CISA and NCSC joint advisory on Chinese state-sponsored actors maintaining covert networks of hijacked SOHO routers and IoT devices. This week: Moxa secure routers, the devices that physically bridge your OT network to the outside world. The pattern is consistent enough to treat as a theme, not a coincidence. The edge device connecting your remote site is the current campaign's preferred first step.

The TN-4900 and EDR series are industrial secure routers designed for OT network segmentation and remote backhaul. At a pump station or substation, you typically find one sitting at the boundary: one interface connected to the OT network (PLC, RTU, flow meter), and one connected to a cellular WAN link that provides the remote path back to the SCADA historian. The OnCell G4302-LTE4 and G4308-LTE4 variants are the cellular-specific models - designed for sites where wireline connectivity is impractical, which describes most remote utility installations.

This dual role is what makes these devices high-value targets. If an attacker crashes the management interface, they disrupt your ability to manage the device remotely (forcing a truck roll to the site) and they may also use the disruption as cover for configuration changes that survive the reboot. If they extract the admin credential hash, they can attempt an offline crack and potentially own the router - which also means owning the remote access path to whatever is behind it.

CVE-2026-3868 is the higher-urgency finding. No authentication, low complexity, remotely exploitable from any segment that can reach the management interface. A crash forces a reboot and a truck roll if you have no out-of-band management path. CVE-2026-3867 is lower urgency in isolation, but config exports are a standard ops practice - most teams have exported at least one config backup during commissioning or a maintenance window. If that file exists on a network share or in a maintenance laptop's Downloads folder, the condition for exploitation is already met.

Firmware v3.24 covers the TN-4900, EDR-8010, EDR-G9010, and EDF-G1002-BP families through the standard Moxa firmware download path. For OnCell G4302-LTE4 and OnCell G4308-LTE4, the patch version is v3.24.1 and it requires a direct support contact - you cannot download it from the Moxa website without opening a case. The Moxa advisory page for MPSA-261521 confirms this directly.

For remote pump stations and substations, the practical staging reality is that firmware updates often require a maintenance window scheduled weeks out. Until you can stage the patch, the compensating controls below are not optional - they are the actual mitigation plan.

1. Restrict HTTPS management to a dedicated management VLAN. The management interface should not be reachable from the OT network segment or from the WAN interface. If you cannot isolate it today, adding a firewall ACL blocking port 443 inbound to Moxa device IPs from untrusted segments is the interim fix. Pull those ACLs now and verify.

2. Treat every config backup as a compromised secret. If your team has exported a configuration file from any of these devices - during commissioning, during a maintenance window, for disaster recovery documentation - that file contains the admin password hash. Locate all copies (USB drives in panels, network shares, maintenance laptops) and rotate the admin password before and after patching. The hash in the existing backup file is still crackable after you patch.

3. Set syslog alerting on router web service restarts outside maintenance windows. If Moxa devices are sending syslog to your SIEM, configure an alert on management service restarts that occur outside a scheduled window. An unexplained restart is the only outward sign you would notice of CVE-2026-3868 exploitation. If these devices are not sending syslog yet, configure it today - the management VLAN isolation step above makes this straightforward.

4. Open a Moxa support ticket for OnCell v3.24.1 this week. The lead time on vendor support contacts at remote utility sites is measured in days to weeks, not hours. If you have OnCell G4302-LTE4 or G4308-LTE4 devices in your environment, the support ticket needs to be open now. Do not wait until the maintenance window is scheduled.

5. Audit firewall rules for port 443 inbound to any Moxa management interface from an untrusted segment. Close those today. On most firewall platforms: pull the relevant ACL, filter for any allow rule that lists a Moxa device IP as the destination and 443 as the destination port, and confirm whether the source segment is trusted. On Cisco ASA: show access-list | include 443 and cross-reference against your Moxa device IPs.

Three advisories in three weeks that share the same attack surface: the device connecting your remote OT site to the rest of the world. ArcaneDoor established FXOS-layer persistence on Cisco firewall hardware, specifically chosen because it survives application-layer patching. The China covert-network advisory documented active maintenance of compromised SOHO routers and IoT devices as covert infrastructure. Now Moxa secure routers, which handle cellular backhaul at remote utility sites, have an unauthenticated DoS and an admin credential exposure path.

The pattern is: identify the device that bridges the site network to central operations, develop or find a foothold there, and work inward from that position. Segmenting and monitoring edge devices - not just patching them - is the specific defensive requirement this campaign pattern demands.