Moxa EDS-G508E, EDS-G512E, and EDS-G516E Series Ethernet Switches Vulnerabilities
Low Risk1eds-g508e-g512e-g516e-series-ethernet-switches-vulnerabilitiesNov 20, 2019
Summary
A denial-of-service vulnerability (CVE-2019-19707, CWE-400) exists in Moxa EDS-G508E, EDS-G512E, and EDS-G516E Series Ethernet Switches. An attacker can send malformed PROFINET DCE-RPC endpoint discovery packets to the switch, causing it to exhaust CPU or memory resources and become unresponsive. The vulnerability affects all versions of the EDS-G508E; Moxa has not released a firmware patch to address this issue.
What this means
What could happen
An attacker could send specially crafted PROFINET discovery packets to the switch, consuming excessive CPU or memory and causing the device to become unresponsive, interrupting network connectivity for connected equipment on the managed network.
Who's at risk
Water authorities and electric utilities using Moxa EDS-G508E, EDS-G512E, or EDS-G516E managed Ethernet switches in their control networks should assess this risk. These switches are commonly used to connect PLCs, RTUs, SCADA servers, and field instrumentation in water treatment plants, pump stations, and electrical substations.
How it could be exploited
An attacker with network access to the switch could transmit malicious PROFINET DCE-RPC endpoint discovery packets. The device lacks proper rate limiting or validation of these packets, causing it to process excessive requests until it exhausts resources and stops responding to legitimate traffic.
Prerequisites
- Network access to the Moxa switch (Layer 2 or Layer 3)
- PROFINET protocol enabled on the switch
- No authentication required
remotely exploitablelow complexityno patch availabledenial of service
Exploitability
Low exploit probability (EPSS 0.6%)
Affected products (1)
ProductAffected VersionsFix Status
EDS-G508EAll versionsNo fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2WORKAROUNDRestrict network access to the switch management interface using firewall rules or VLAN segmentation; block unnecessary PROFINET discovery traffic (DCE-RPC endpoint discovery packets) at the network perimeter
WORKAROUNDDisable PROFINET functionality on the switch if it is not required for plant operations
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGMonitor the switch for signs of resource exhaustion (high CPU, memory usage, or dropped packets) and establish alerting thresholds to detect potential DoS attacks
Mitigations - no patch available
0/1EDS-G508E has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGSegment the switch onto a restricted access network where only authorized controllers and field devices can communicate with it
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/2783f550-4a3e-4e98-ba77-c4fe0c7953aa