Moxa OnCell Security Vulnerabilities
Act Now9.1ICS-CERT ICSA-16-308-01Aug 7, 2016
Attack VectorNetwork
Auth RequiredHigh
ComplexityLow
User InteractionNone needed
Summary
Moxa OnCell industrial cellular gateways and access points contain multiple authentication and access control vulnerabilities affecting all product versions. The vulnerabilities stem from authentication bypass and improper access control mechanisms, allowing unauthorized administrative access to device configuration and management interfaces.
What this means
What could happen
An attacker with network access to an OnCell device could bypass authentication and gain administrative control, allowing them to modify device configuration, intercept communications, or disrupt cellular connectivity to remote sites and critical infrastructure.
Who's at risk
Water authorities and municipal electric utilities using Moxa OnCell cellular gateways for SCADA, telemetry, and remote RTU communications. Specifically affects industrial cellular access points (AWK series, WAC series) and cellular gateways (G3470A-LTE, TAP-6226) used for redundant or out-of-band communications to unmanned sites, pumping stations, and substations.
How it could be exploited
An attacker on the same network segment as an OnCell device (or with routable network access to its management interface, typically port 80 or 443) can exploit the authentication bypass to log in without valid credentials or with elevated privileges, then reconfigure the device or extract sensitive information.
Prerequisites
- Network access to the OnCell device management interface (HTTP/HTTPS, typically port 80/443)
- No valid credentials required to trigger the vulnerability
remotely exploitableno authentication requiredlow complexityno patch availablehigh CVSS (9.1)
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (14)
14 EOL
ProductAffected VersionsFix Status
OnCell AWK-3131-M12-RCC Series: vers:all/*All versionsNo fix (EOL)
OnCell AWK-5232-M12-RCC Series: vers:all/*All versionsNo fix (EOL)
OnCell AWK-3121/4121 Series: vers:all/*All versionsNo fix (EOL)
OnCell AWK-3131/4131 Series: vers:all/*All versionsNo fix (EOL)
OnCell AWK-5222/6222 Series: vers:all/*All versionsNo fix (EOL)
OnCell G3470A-LTE: vers:all/*All versionsNo fix (EOL)
OnCell AWK-3191 Series: vers:all/*All versionsNo fix (EOL)
OnCell AWK-5232/6232 Series: vers:all/*All versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/3WORKAROUNDRestrict network access to OnCell device management interfaces using firewall rules; allow administrative access only from designated engineering workstations or jump hosts on isolated network segments.
HARDENINGDisable HTTP management interface and enforce HTTPS-only access with certificate pinning or trusted certificate validation if supported by firmware.
WORKAROUNDMonitor OnCell device access logs and network traffic for unauthorized login attempts or configuration changes using SIEM or network monitoring tools.
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: OnCell AWK-3131-M12-RCC Series: vers:all/*, OnCell AWK-5232-M12-RCC Series: vers:all/*, OnCell AWK-3121/4121 Series: vers:all/*, OnCell AWK-3131/4131 Series: vers:all/*, OnCell AWK-5222/6222 Series: vers:all/*, OnCell G3470A-LTE: vers:all/*, OnCell AWK-3191 Series: vers:all/*, OnCell AWK-5232/6232 Series: vers:all/*, OnCell AWK-1121/1127 Series: vers:all/*, OnCell WAC-1001 V2 Series: vers:all/*, WAC-2004 Series: vers:all/*, OnCell AWK-3121-M12-RTG Series: vers:all/*, OnCell TAP-6226 Series: vers:all/*, OnCell AWK-1131A/3131A/4131A Series: vers:all/*. Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate OnCell devices from the general corporate network and SCADA networks; place them on a dedicated management VLAN with strict access controls.
HARDENINGEvaluate alternative cellular gateway vendors for new deployments; plan lifecycle replacement of affected OnCell models as budget allows.
CVEs (2)
โโ Navigate ยท Esc Close
API:
/api/v1/advisories/c74fc42a-74b5-49d0-bf7a-cb5f1c9e5d44