Moxa EDR-810 Series Secure Router Vulnerabilities

Act Now10edr-810-series-security-router-vulnerabilities-(1)Mar 23, 2021

Summary

Multiple critical vulnerabilities were identified in Moxa EDR-810 Series industrial secure routers affecting all versions. Vulnerability types include: improper input validation allowing remote code execution via crafted HTTP requests and denial of service via DHCP/SNMP/SSH password authentication; buffer overflow in SSH privilege-separation; exposure of process memory data through malformed TLS; outdated cryptographic protocols (SSLv3, TLSv1.0) enabling man-in-the-middle attacks and plaintext recovery; and improper access control on the console. These vulnerabilities allow remote attackers to execute arbitrary code, cause denial of service, decrypt encrypted traffic, or obtain sensitive information without authentication. Moxa has stated no patches will be provided for this end-of-life product line.

What this means

What could happen

An attacker could remotely execute commands on the EDR-810 router through crafted HTTP requests, or cause it to stop routing traffic entirely through denial-of-service attacks, disrupting network connectivity for critical manufacturing operations. Additionally, an attacker could intercept and decrypt unencrypted management traffic or obtain sensitive data from memory.

Who's at risk

Manufacturing facilities and utilities relying on Moxa EDR-810 Series secure routers for industrial network connectivity, especially those used to connect operational technology networks to corporate networks or the internet. This includes water authorities, electric utilities, and other critical infrastructure operators using these routers as network access points.

How it could be exploited

An attacker on the network could send a crafted HTTP request to the router's web management interface (port 80 or 443) to achieve remote code execution. Alternatively, they could send malformed DHCP packets to cause denial of service, or exploit outdated TLS/SSL protocols to perform man-in-the-middle attacks and decrypt management traffic. SSH access could allow privilege escalation to root if the attacker first gains local shell access.

Prerequisites

Network access to the EDR-810 on ports 80, 443, 22, or 161 (HTTP, HTTPS, SSH, SNMP)
No authentication required for HTTP-based remote code execution or DHCP-based denial of service
Physical console access may be required for some privilege escalation paths

remotely exploitableno authentication required for code executionlow complexityactively exploited (KEV)high EPSS score (94.3%)no patch available (end-of-life product)affects critical network infrastructure

Exploitability

Actively exploited — confirmed by CISA KEV

Affected products (1)

ProductAffected VersionsFix Status

EDR-810All versionsNo fix (EOL)

Remediation & Mitigation

0/6

Do now

0/6

HOTFIXReplace EDR-810 Series routers with current-generation Moxa secure router models that have received security updates

HARDENINGImplement network segmentation to restrict access to the EDR-810 management ports (80, 443, 22, 161) from untrusted networks

WORKAROUNDDeploy firewall rules to block DHCP traffic from entering the management interface and restrict HTTP/HTTPS access to authorized engineering workstations only

HARDENINGDisable SNMP if not required for operations; if required, restrict SNMP access to a management VLAN

HARDENINGDisable SSH remote access if not required; restrict SSH to a bastion host or VPN connection only

HARDENINGEnable TLS 1.2 or higher for all management connections and disable SSLv3, TLSv1.0, and TLSv1.1

CVEs (10)

CVE-2014-2284 CVE-2016-6515 CVE-2017-17562 CVE-2013-0169 CVE-2016-0703 CVE-2013-1813 CVE-2010-2156 CVE-2015-1788 CVE-2016-10012 CVE-2015-3195

View full Moxa Security advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e2f278ed-a599-4c9d-acae-d1945ba4705f