Moxa AWK-3121 Series Industrial AP/Bridge/Client Vulnerabilities

Plan Patch10awk-3121-series-industrial-ap-bridge-client-vulnerabilitiesDec 2, 2019

Summary

The Moxa AWK-3121 Series industrial wireless access point contains multiple critical vulnerabilities across 10 CVE identifiers spanning command injection (CWE-77), cross-site scripting (CWE-79), buffer overflow (CWE-119), insecure credential management (CWE-255), improper access control (CWE-284), and CSRF (CWE-352). The command injection vulnerabilities affect multiple parameters and allow arbitrary shell command execution. The device ships with insecure defaults: unencrypted HTTP for web management, an open unencrypted Wi-Fi network requiring no password, and an enabled unencrypted TELNET service. The web interface is also vulnerable to XSS attacks capable of stealing session cookies and lacks CSRF protection. Additionally, system logs can be downloaded without proper authorization. No fix is currently available from Moxa.

What this means

What could happen

An attacker with network access to the Moxa AWK-3121 AP/bridge could inject commands to execute arbitrary code, potentially reconfiguring the device or disrupting industrial wireless connectivity. Additionally, the device has multiple default insecure settings (unencrypted HTTP, open Wi-Fi, TELNET) that expose credentials and allow unauthorized access.

Who's at risk

Manufacturing facilities and transportation systems using Moxa AWK-3121 wireless access points or bridges for industrial control networks should be concerned. This includes any plant that relies on this device for wireless connectivity between PLCs, remote I/O, or engineering workstations.

How it could be exploited

An attacker on the network can send specially crafted requests to the device's web interface to inject shell commands through vulnerable parameters (CVE-2018-10697, 10699, 10702), gaining command execution. Alternatively, the attacker can connect to the open Wi-Fi network without credentials (CVE-2018-10694), access the unencrypted TELNET service (CVE-2018-10698), or intercept unencrypted HTTP traffic (CVE-2018-10690) to steal admin credentials or session cookies via XSS attacks (CVE-2018-10692, 10700).

Prerequisites

Network reachability to the device's web interface (port 80 or default HTTP port)
Or proximity to open Wi-Fi SSID broadcast by the device
Or network reachability to TELNET port (23) for unencrypted access
No valid credentials required for Wi-Fi connection (open network)
No authentication required for some command injection vectors

remotely exploitableno authentication required for some vectorslow complexity exploitationno patch availabledefault credentials and insecure defaultsmultiple vulnerability types (command injection, XSS, buffer overflow, credential exposure)

Exploitability

Moderate exploit probability (EPSS 2.4%)

Affected products (1)

ProductAffected VersionsFix Status

AWK-3121All versionsNo fix (EOL)

Remediation & Mitigation

0/7

Do now

0/4

HOTFIXContact Moxa support immediately to obtain available security patches or replacement devices, as no fix is currently available for the AWK-3121 series.

WORKAROUNDDisable or restrict access to the HTTP web interface; require HTTPS-only connections where possible.

WORKAROUNDDisable the TELNET service if not critical to operations; manage the device only via HTTPS or out-of-band methods.

WORKAROUNDChange the Wi-Fi SSID broadcast settings or configure WPA2/WPA3 encryption on the wireless network if the device supports it; document any default credentials and change them immediately.

Mitigations - no patch available

0/3

AWK-3121 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation: isolate the AWK-3121 on a separate VLAN accessible only to authorized industrial devices and engineering workstations.

HARDENINGDeploy network-based intrusion detection/prevention (IDS/IPS) rules to detect and block command injection payloads and suspicious access patterns to the device.

HARDENINGAudit and monitor system logs for unauthorized downloads, CSRF attacks, or access attempts to the device web interface.

CVEs (14)

CVE-2018-10697 CVE-2018-10699 CVE-2018-10702 CVE-2018-10692 CVE-2018-10700 CVE-2018-10693 CVE-2018-10695 CVE-2018-10701 CVE-2018-10703 CVE-2018-10690 CVE-2018-10694 CVE-2018-10698 CVE-2018-10691 CVE-2018-10696

View full Moxa Security advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ecb9e740-e675-4d3a-9a09-92a725c8903b