Moxa EDR-810 Series Secure Routers Vulnerabilities
Low Risk2edr-810-series-secure-router-vulnerabilities-(1)Sep 30, 2019
Summary
Two vulnerabilities identified in Moxa EDR-810 Series secure routers: 1. CVE-2019-10969 (Improper Input Validation, CWE-20): The web console allows authenticated users with Admin or ConfigAdmin privileges to submit improper input that can lead to unauthorized commands being executed on the router. 2. CVE-2019-10963 (Improper Access Control, CWE-284): Log information is accessible by unauthenticated attackers, potentially disclosing sensitive information including configuration and system details. Both vulnerabilities affect all versions of the EDR-810 series. Moxa has indicated that solutions have been developed to address these issues.
What this means
What could happen
An authenticated user with admin credentials could execute unauthorized commands on the router to modify network configurations or disrupt communications, and an unauthenticated attacker could retrieve log files containing sensitive system and network information.
Who's at risk
Municipal utilities and water authorities that rely on Moxa EDR-810 Series secure routers for ICS network communications and remote site connectivity. These routers are commonly used to connect remote substations, water treatment plants, and SCADA front-end servers to the corporate network. Operators of any critical infrastructure facility using EDR-810 for WAN or branch office connectivity should be concerned.
How it could be exploited
For CVE-2019-10969: An attacker with valid Admin or ConfigAdmin credentials accesses the web console and injects malicious input into a command field, causing the router to execute unintended commands that alter routing or firewall rules. For CVE-2019-10963: An attacker connects to the router and requests log files through an unauthenticated interface (such as HTTP or SNMP), gaining access to logs that may contain IP addresses, user names, or system configuration details.
Prerequisites
- Valid Admin or ConfigAdmin credentials for the web console (CVE-2019-10969)
- Network connectivity to the EDR-810 web interface port (typically 80 or 443)
- Network connectivity to the EDR-810 log retrieval endpoint for CVE-2019-10963
- No credentials required for log retrieval (CVE-2019-10963)
No patch available (all versions affected, no fix planned)Default or weak credentials could enable exploitationUnauthenticated log access provides reconnaissance for further attacksUnauthorized command execution could alter network routing or firewall policies affecting plant operations
Exploitability
Moderate exploit probability (EPSS 4.9%)
Affected products (1)
ProductAffected VersionsFix Status
EDR-810All versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/4HARDENINGRestrict access to the EDR-810 web console (port 80/443) using firewall rules. Only allow access from authorized engineering workstations or management networks.
HARDENINGImplement network segmentation to limit which devices can reach the EDR-810 management interface. Place the router on a separate management VLAN if possible.
HARDENINGDisable or restrict access to log retrieval endpoints (such as HTTP GET requests for logs or SNMP log queries) on the EDR-810 from untrusted networks.
WORKAROUNDMonitor EDR-810 web access logs and firewall logs for unauthorized access attempts to the console or log retrieval endpoints.
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGRotate and strengthen Admin and ConfigAdmin credentials. Use complex passwords and consider implementing multi-factor authentication if supported by the EDR-810.
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/8a596303-db09-4497-bbba-b3833a56cb2a