Moxa Device Server Web Console Authorization Bypass Vulnerability

Monitor7.5ICS-CERT ICSA-16-189-02Apr 10, 2016

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Moxa Device Server Web Console (5232-N) contains an authorization bypass vulnerability in all versions. An unauthenticated attacker can access the web management interface without valid credentials, potentially exposing sensitive configuration and operational data.

What this means

What could happen

An attacker could bypass authentication to access the Device Server web console, potentially viewing or modifying device configuration, network settings, and serial port parameters without credentials. This could allow reconnaissance of your serial-to-Ethernet devices or changes to operational configurations.

Who's at risk

Water utilities and power distributors using Moxa Device Servers (model 5232-N) to manage serial communications for RTUs, telemetry units, or legacy industrial equipment should be concerned. These servers are commonly used to convert serial Modbus or Profibus signals to Ethernet in SCADA and monitoring systems.

How it could be exploited

An attacker connects to the web console port (typically 80 or 443) of the Device Server from the network. The authorization check is insufficient, allowing the attacker to access restricted management functions without providing valid login credentials. From there, the attacker can read configuration or potentially trigger reconfiguration of serial or network settings.

Prerequisites

Network access to the Device Server web console port (TCP 80 or 443)
Device Server must be connected to a network reachable from the attacker
No credentials required

remotely exploitableno authentication requiredlow complexityno patch availableaffects critical infrastructure devices

Exploitability

Moderate exploit probability (EPSS 1.3%)

Affected products (1)

ProductAffected VersionsFix Status

Device Server Web Console 5232-N: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDRestrict network access to the Device Server web console port (TCP 80/443) using firewall rules; allow only authorized engineering or management workstations

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGMonitor Device Server for configuration changes and unauthorized access attempts; log all web console access

HARDENINGContact Moxa to confirm end-of-life status for model 5232-N and inquire about firmware updates or migration timeline for newer device server models

Mitigations - no patch available

0/2

Device Server Web Console 5232-N: vers:all/* has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGPlace Device Servers on a dedicated management VLAN or industrial network segment, isolated from general corporate network and internet access

HARDENINGDeploy VPN or jump-host access for any remote web console administration instead of direct internet or untrusted network access

CVEs (1)

CVE-2016-4503

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/10894ab7-e5f1-45e1-a7a1-88323944328b