Moxa PT-7528 and PT-7828 Series Ethernet Switches

Act Now10ICS-CERT ICSA-20-056-03Feb 25, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in Moxa PT-7528 (firmware ≤4.0) and PT-7828 (firmware ≤3.9) series switches include weak authentication mechanisms, insufficient encryption, and hard-coded credentials. Successful exploitation could allow unauthorized access to the device, crash it, or expose sensitive information. These issues affect the switch's ability to securely manage network traffic to control system devices.

What this means

What could happen

An attacker could crash these switches or extract sensitive information, disrupting network communication to critical process equipment like PLCs, sensors, and RTUs in the plant. Loss of network connectivity could halt production or cause unsafe states in safety-instrumented systems.

Who's at risk

Water authorities, electric utilities, and other critical infrastructure operators using Moxa PT-7528 and PT-7828 Ethernet switches in control networks. These switches connect PLCs, RTUs, SCADA servers, and field sensors, so compromise could affect process visibility and control across the entire plant.

How it could be exploited

An attacker with network access to the switch could exploit weaknesses in account authentication and encryption mechanisms to gain unauthorized access. Once authenticated, the attacker could crash the device or read sensitive data, causing network disruption to downstream control systems.

Prerequisites

Network access to the Ethernet switch (local network or remote access)
No valid credentials required (authentication weaknesses allow bypass)

remotely exploitableno authentication requiredlow complexityno patch availableaffects critical network infrastructuredefault or weak credentials may exist

Exploitability

Moderate exploit probability (EPSS 1.9%)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

PT-7528 series: firmware≤ 4.0No fix (EOL)

PT-7828 series: firmware≤ 3.9No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/3

WORKAROUNDEnable 'Account Login Failure Lockout' function on the switch immediately to mitigate authentication bypass risk

HARDENINGIsolate switch behind firewall and implement network segmentation to restrict access to authorized engineering networks only

HARDENINGEnsure switches are not accessible from the Internet or business network; use air-gapped or VPN-protected access for remote administration

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXApply security patch from Moxa Technical Support when available

CVEs (6)

CVE-2020-6989 CVE-2020-6987 CVE-2020-6983 CVE-2020-6985 CVE-2020-6995 CVE-2020-6993

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f8a4873a-7fcd-43b6-9a16-1b31bab50619