Moxa EDS-405A Series, EDS-408A Series, EDS-510A Series, and IKS-G6824A Series Ethernet Switches Vulnerabilities

Monitor7eds-405a-series-eds-408a-series-eds-510a-series-and-iks-g6824a-series-ethernet-sFeb 1, 2019

Summary

Moxa EDS-405A, EDS-408A, EDS-510A, and IKS-G6824A Series Ethernet Switches contain multiple vulnerabilities: (1) passwords stored in plaintext readable via configuration access, (2) predictable web session cookies allowing credential recovery, (3) unencrypted management protocol allowing password disclosure, (4) no protection against brute force login attacks, (5) authenticated remote denial of service via malformed packets, and (6-7) buffer overflow vulnerabilities in the IKS-G6824A that can cause device reboot or code execution. These switches are commonly deployed in manufacturing and process automation networks.

What this means

What could happen

An attacker could steal administrative passwords stored in plain text or via weak session cookies, then gain full remote control of your network switches and disrupt plant communications. Additionally, buffer overflow vulnerabilities in the IKS-G6824A could cause device crashes or allow arbitrary code execution.

Who's at risk

Manufacturing facilities using Moxa industrial Ethernet switches for network infrastructure should care about this advisory. Specifically, plants relying on EDS-405A, EDS-408A, EDS-510A, or IKS-G6824A switches for process automation networking are affected. These switches are commonly used to connect PLCs, remote I/O devices, and control system workstations.

How it could be exploited

An attacker with network access to the switch's management interface (HTTP/HTTPS or proprietary protocol port) could either read configuration files to extract plaintext credentials, forge session cookies using predictable values, or send specially crafted packets to trigger buffer overflows. Once authenticated, they could reconfigure switches, redirect traffic, or crash devices.

Prerequisites

Network access to the switch's management interface (typically port 80/443 or proprietary management port)
Physical or remote access to obtain configuration files for password extraction
For brute force attacks: no rate limiting on authentication attempts

Remotely exploitableMultiple authentication bypass methodsNo patch available for EDS-405ALow complexity attacks (predictable session IDs, brute force)Affects critical network infrastructureNo rate limiting on login attempts

Exploitability

Moderate exploit probability (EPSS 6.9%)

Affected products (1)

ProductAffected VersionsFix Status

EDS-405AAll versionsNo fix (EOL)

Remediation & Mitigation

0/7

Do now

0/3

WORKAROUNDRestrict network access to switch management interfaces using firewall rules; limit access to authorized engineering workstations only

HARDENINGDisable remote management protocols if not actively used for operations

HARDENINGChange all default and weak administrative passwords immediately after deployment

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXFor EDS-510A Series: Apply the vendor-provided firmware patches listed in the Solutions section instead of upgrading firmware

HOTFIXFor EDS-405A and EDS-408A Series: Upgrade to patched firmware versions provided by Moxa

HOTFIXFor IKS-G6824A Series: Upgrade to patched firmware to address buffer overflow vulnerabilities

Mitigations - no patch available

0/1

EDS-405A has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate switch management traffic on a separate, protected VLAN

CVEs (10)

CVE-2019-6518 CVE-2019-6563 CVE-2019-6526 CVE-2019-6524 CVE-2019-6559 CVE-2019-6557 CVE-2019-6522 CVE-2019-6565 CVE-2019-6520 CVE-2019-6561

View full Moxa Security advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9d03f2fa-cd6a-493b-9c90-13290c9a0a5c