Moxa IKS, EDS (Update A)

Plan PatchCVSS 9.8ICS-CERT ICSA-19-057-01Feb 1, 2019

MoxaManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Moxa IKS-G6824A, EDS-408A, EDS-510A, and EDS-405A industrial switches and edge devices contain multiple vulnerabilities including buffer overflow, cross-site request forgery (CSRF), weak session ID generation, authentication bypass, and weak cryptography. These flaws allow unauthenticated attackers to read sensitive configuration data, execute arbitrary commands, alter device settings, capture session data, cause device reboot or crash, or achieve full device compromise. Affected firmware versions: IKS-G6824A (≤5.6), EDS series (≤3.8).

What this means

What could happen

An attacker could remotely execute code on these industrial switches and network devices without authentication, potentially altering device configuration, capturing network traffic, stopping operations, or taking devices offline.

Who's at risk

Water utilities and municipal electric utilities that use Moxa industrial Ethernet switches and edge devices (IKS-G6824A, EDS-408A, EDS-510A, EDS-405A series) for plant network connectivity and remote monitoring. These are common in SCADA networks and RTU/PLC communication links.

How it could be exploited

An attacker on the network (or internet if the device is exposed) sends a crafted request to the web interface or network service of the affected device. Due to authentication bypass and input validation flaws, the attacker can inject code, alter settings, or crash the device without valid credentials.

Prerequisites

Network access to the device's web interface or network services (ports commonly 80/443 or Modbus TCP)
No valid credentials required

remotely exploitableno authentication requiredlow complexityno patch availableaffects network infrastructure in OT environmentshigh CVSS score (9.8)

Exploitability

Some exploitation risk — EPSS score 6.9%

Affected products (5)

5 EOL

ProductAffected VersionsFix Status

EDS-405AAll versionsNo fix (EOL)

EDS-408A series:≤ 3.8No fix (EOL)

EDS-510A series:≤ 3.8No fix (EOL)

EDS-405A series:≤ 3.8No fix (EOL)

IKS-G6824A series:≤ 5.6No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDConfigure EDS series devices for HTTPS-only web access to reduce predictable session ID exploitation

HARDENINGPlace all Moxa switches and edge devices behind a firewall and isolate from internet and business network access

HARDENINGImplement network segmentation to restrict access to these devices to authorized engineering and operational staff only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXRequest and install firmware patch from Moxa Customer Service (login required to obtain patch file)

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: EDS-405A, EDS-408A series:, EDS-510A series:, EDS-405A series:, IKS-G6824A series:. Apply the following compensating controls:

HARDENINGUse VPN for any required remote access to these devices, and keep VPN software updated

CVEs (10)

CVE-2019-6557 CVE-2019-6561 CVE-2019-6565 CVE-2019-6520 CVE-2019-6524 CVE-2019-6526 CVE-2019-6522 CVE-2019-6518 CVE-2019-6563 CVE-2019-6559

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4120bd7e-93c2-4192-9229-3fe21740f0cd

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.