Moxa ioLogik E2200 Series Weak Authentication Practices

Monitor6.5ICS-CERT ICSA-16-063-01Dec 5, 2016

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Moxa ioLogik E2200 series and ioAdmin Configuration Utility use weak authentication mechanisms (CWE-522: Inadequate Logging, CWE-326: Inadequate Encryption Strength) that allow attackers to intercept or bypass credential verification. Affected versions are ioLogik E2200 series <3.12 and ioAdmin Configuration Utility <3.18. No vendor fixes are currently available.

What this means

What could happen

An attacker with network access could intercept or forge authentication credentials for the ioLogik E2200 remote I/O device, potentially gaining unauthorized access to alter I/O states, trigger false alarms, or disrupt SCADA communications in energy substations or distribution systems.

Who's at risk

Energy utilities operating Moxa ioLogik E2200 series remote I/O devices in SCADA or distribution control systems. This includes substation automation, feeder control, and DER (distributed energy resource) monitoring. Also affects operators using ioAdmin Configuration Utility on engineering workstations.

How it could be exploited

An attacker on the same network segment as the ioLogik E2200 can intercept weak authentication traffic or craft unauthorized commands using default or guessed credentials. Once authenticated, the attacker can read/write digital and analog I/O points, disrupting control logic or triggering unintended field actions.

Prerequisites

Network access to the ioLogik E2200 device (typically port 502 Modbus TCP or native Moxa protocol ports)
No valid credentials required if default credentials are still in use

remotely exploitableno authentication requiredlow complexityno patch availableweak cryptography (CWE-326)

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

ioLogik E2200 series: <3.12<3.12No fix (EOL)

ioAdmin Configuration Utility: <3.18<3.18No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGRestrict network access to the ioLogik E2200 and ioAdmin Configuration Utility using firewall rules or network segmentation; allow only trusted engineering workstations and SCADA servers

HARDENINGDisable remote access to the device management interface if not required for operations; use only local configuration via ioAdmin when possible

HARDENINGChange any default credentials on the ioLogik E2200 and related systems immediately

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGIf remote management is needed, require strong authentication via a VPN or bastion host rather than direct network exposure

CVEs (2)

CVE-2016-2282 CVE-2016-2283

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6660cb25-7f6f-4685-b4af-a0081bba5e1e