Moxa AWK-3121

Act Now9.8ICS-CERT ICSA-19-337-02Dec 3, 2019

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Moxa AWK-3121 wireless access point contains multiple critical vulnerabilities allowing remote code execution, information disclosure, and denial of service. The device is end-of-life with no patch available from the vendor.

What this means

What could happen

An attacker can execute arbitrary code on the wireless access point, potentially intercepting network traffic, disrupting plant connectivity, or using it as a pivot point to attack control system devices and sensors relying on the wireless network.

Who's at risk

Water utilities and electric cooperatives using Moxa AWK-3121 wireless access points to connect remote sensors, RTUs, or other control field devices. Any organization with wireless connectivity to operational networks in industrial settings should check for this device model.

How it could be exploited

An attacker can send crafted network requests to the AWK-3121 over the internet or from any network segment where the device is reachable. The vulnerabilities include weak authentication, command injection, and cross-site request forgery, allowing the attacker to gain control without valid credentials.

Prerequisites

Network access to the AWK-3121 device (device must be reachable from attacker's network or internet)
No valid credentials required for exploitation

Remotely exploitableNo authentication requiredLow complexity attackNo patch available (end-of-life product)Affects network infrastructure for control systemsCVSS 9.8 (critical)

Exploitability

Moderate exploit probability (EPSS 2.4%)

Affected products (1)

ProductAffected VersionsFix Status

AWK-3121: All≤ 1.14No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDImmediately place AWK-3121 behind a firewall and restrict network access to authorized connections only; disable remote access and limit to local plant network only

HARDENINGDisable any unused features or services on the AWK-3121

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXReplace AWK-3121 with Moxa AWK-1131A or equivalent current-generation wireless access point

Mitigations - no patch available

0/2

AWK-3121: All has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGSegment the wireless network behind a firewall; prevent direct communication between the wireless network and the business network or Internet

HARDENINGIf remote access to the AWK-3121 is required, use a VPN with current security patches and strong authentication

CVEs (14)

CVE-2018-10690 CVE-2018-10691 CVE-2018-10692 CVE-2018-10693 CVE-2018-10694 CVE-2018-10695 CVE-2018-10696 CVE-2018-10697 CVE-2018-10698 CVE-2018-10699 CVE-2018-10700 CVE-2018-10701 CVE-2018-10702 CVE-2018-10703

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b2393948-aab2-463e-9cdb-5f9d99b73c68