Moxa MB3xxx Series Protocol Gateways

Act Now9.8ICS-CERT ICSA-20-056-01Feb 25, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Moxa MB3xxx series protocol gateways contain multiple critical vulnerabilities including buffer overflow (CWE-121, CWE-680), weak authentication (CWE-352, CWE-327), and credential handling flaws (CWE-521, CWE-200). These allow remote attackers to execute arbitrary code, crash devices, or access sensitive information without credentials over HTTP, Telnet, or other network services. Affected models: MB3170 (firmware ≤4.0), MB3180 (≤2.0), MB3270 (≤4.0), MB3280 (≤3.0), MB3480 (≤3.0), MB3660 (≤2.2).

What this means

What could happen

An attacker could remotely execute arbitrary code on these protocol gateways, crash them, or access sensitive information. This could disrupt communication between your industrial devices and SCADA systems, halting data collection and control.

Who's at risk

Water utilities, electric utilities, wastewater treatment plants, and other facilities using Moxa MB3xxx series protocol gateways (MB3170, MB3180, MB3270, MB3280, MB3480, MB3660). These devices bridge legacy industrial equipment (Modbus, Profibus, etc.) to modern networks. Loss of gateway function prevents SCADA systems from communicating with PLCs, RTUs, and other field devices.

How it could be exploited

An attacker on the network can send a specially crafted message to the gateway on port 80 (HTTP), 23 (Telnet), or other service ports to trigger a buffer overflow or code execution flaw. No credentials or user interaction are required. The attacker gains the ability to run commands directly on the gateway device.

Prerequisites

Network access to the Moxa gateway device (same network segment or routable path)
No authentication required
Device running vulnerable firmware version (3.0 or earlier for MB3280/MB3480, 4.0 or earlier for MB3170/MB3270, 2.2 or earlier for MB3660, 2.0 or earlier for MB3180)

Remotely exploitableNo authentication requiredLow complexity attackHigh CVSS score (9.8)High EPSS score (9.1%)No patch available for some modelsBuffer overflow vulnerability

Exploitability

Moderate exploit probability (EPSS 9.1%)

Affected products (6)

6 pending

ProductAffected VersionsFix Status

MB3280 series: firmware≤ 3.0No fix yet

MB3270 series: firmware≤ 4.0No fix yet

MB3170 series: firmware≤ 4.0No fix yet

MB3480 series: firmware≤ 3.0No fix yet

MB3660 series: firmware≤ 2.2No fix yet

MB3180 series: firmware≤ 2.0No fix yet

Remediation & Mitigation

0/5

Do now

0/4

WORKAROUNDDisable HTTP and Telnet services on all Moxa gateway devices immediately

HARDENINGRestrict network access to gateway devices using firewall rules; only allow traffic from authorized engineering workstations and control systems

HARDENINGImplement VPN tunnel for any remote access to gateway devices

WORKAROUNDUse Moxa utilities (MGate Manager, NPort Administration Suite) instead of direct HTTP/Telnet for device configuration and monitoring

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade all affected gateway devices to latest available firmware from Moxa

CVEs (8)

CVE-2019-9099 CVE-2019-9098 CVE-2019-9102 CVE-2019-9095 CVE-2019-9101 CVE-2019-9096 CVE-2019-9104 CVE-2019-9097

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/94785050-0811-4295-9b6b-1a85f09a3bb2