Moxa AWK-3131A/4131A/1131A/1137C Series Wireless AP/Bridge/Client Vulnerabilities

Monitor7awk-3131a-4131a-1131a-1137c-wireless-ap-bridge-client-vulnerabilitiesDec 30, 2021

Summary

Multiple vulnerabilities identified in Moxa AWK-3131A/4131A/1131A/1137C Series Wireless AP/Bridge/Client devices:\n\n1. Command Injection (CVE-2021-37752): Remote arbitrary command execution via web interface\n2. Authentication Bypass (CVE-2021-37753, CVE-2021-37755): Remote bypass of authentication and exposure of unencrypted credentials\n3. Buffer Overflow (CVE-2021-37757): Remote denial of service via improper input restriction\n4. Information Disclosure (CVE-2021-37751): Remote extraction of sensitive information\n5. Brute Force (CVE-2021-37754): Weak rate limiting allows credential guessing\n6. Cross-Site Scripting (CVE-2021-37756): Remote injection of HTML/JavaScript via web interface\n7. Firmware Verification (CVE-2021-37758): Improper verification allows malicious firmware installation\n\nAll versions of these products are affected. Moxa has indicated it is developing solutions but no fixed versions have been released.

What this means

What could happen

An attacker with network access to these wireless devices could execute arbitrary commands, bypass authentication, obtain administrative credentials through brute force, or inject malicious firmware—all of which could compromise network integrity and allow unauthorized control of wireless connectivity in your plant.

Who's at risk

Water utilities, electric utilities, and other critical infrastructure operators deploying Moxa AWK-series wireless access points or bridges for network connectivity, especially in remote sites, substation monitoring, or as client devices bridging wireless to wired networks. Any plant or facility relying on these devices for industrial network communications is at risk.

How it could be exploited

An attacker on the network or Internet accesses the device's web interface without authentication or with default credentials. They execute arbitrary commands via the web interface (CVE-2021-37752), or inject malicious firmware without signature verification (CVE-2021-37758). Alternatively, they perform a brute-force attack against weak authentication (CVE-2021-37754) to gain administrative access and reconfigure the device to intercept or block industrial network traffic.

Prerequisites

Network access to the device's web interface (port 80/443)
No valid credentials required for command injection and information disclosure vulnerabilities
Device must be reachable from the attacker's network segment

remotely exploitableno authentication required for multiple CVEslow complexityno patch availableaffects network infrastructure—loss of wireless connectivity could disrupt operations

Affected products (1)

ProductAffected VersionsFix Status

AWK-3131A/4131A/1131A/1137CAll versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGIsolate AWK-3131A/4131A/1131A/1137C devices on a separate management network segment with firewall rules restricting access to the web interface (ports 80, 443) from authorized engineering workstations only

WORKAROUNDDisable remote web management access if not required for operations; use local serial console access only for configuration

WORKAROUNDChange all default credentials and enforce strong, unique passwords on every device

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXMonitor for firmware updates from Moxa and plan replacement of devices with fixed versions as soon as available

HARDENINGImplement intrusion detection/prevention rules to block suspicious HTTP/HTTPS requests to the device management interface

CVEs (8)

CVE-2021-37752 CVE-2021-37753 CVE-2021-37755 CVE-2021-37757 CVE-2021-37751 CVE-2021-37754 CVE-2021-37756 CVE-2021-37758

View full Moxa Security advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f81d991c-20d7-4635-9062-38fc2f3d275e