Moxa AWK-3131A Series Industrial AP/Bridge/Client

Plan PatchCVSS 10ICS-CERT ICSA-20-063-04Mar 3, 2020

MoxaManufacturingTransportation

Summary

The Moxa AWK-3131A Series industrial wireless access point/bridge in firmware version 1.13 and earlier contains multiple vulnerabilities including command injection (CWE-78), buffer overflow (CWE-120, CWE-121), hardcoded credentials (CWE-798), and improper authentication (CWE-288, CWE-284). Successful exploitation with valid login credentials allows remote arbitrary code execution with device privileges, potentially compromising network integrity and control system communications.

What this means

What could happen

An attacker with login credentials could execute arbitrary code on this wireless AP/bridge, potentially gaining control over your network connectivity, intercepting traffic, or disrupting communications to remote RTUs, pumps, or other field devices.

Who's at risk

Manufacturing plants and utilities that use Moxa AWK-3131A wireless access points or bridges for remote site connectivity, including water and electric facilities deploying wireless links to pump stations, substations, or remote telemetry equipment.

How it could be exploited

An attacker with valid login credentials connects to the device via the network or web interface, then exploits one of several memory corruption or command injection flaws (CWE-78, CWE-120, CWE-121) to run arbitrary commands with device privileges. This could be leveraged to modify network routes, inject traffic, or use the AP as a pivot point into your control network.

Prerequisites

Valid login credentials (engineering or admin account)
Network access to the device management interface (web UI or SSH)
Device running firmware version 1.13 or earlier

remotely exploitablerequires valid credentialsmultiple memory corruption and command injection flawsno fix currently available

Exploitability

Some exploitation risk — EPSS score 5.8%

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

AWK-3131AAll versionsNo fix (EOL)

AWK-3131A: firmware≤ 1.13No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

AWK-3131A

WORKAROUNDRestrict network access to the AWK-3131A management interface using firewall rules or access control lists; allow only authorized engineering workstations or VPN gateways

All products

HARDENINGChange default or factory-set credentials on all Moxa wireless devices to strong, unique passwords

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

AWK-3131A

HOTFIXContact Moxa technical support to obtain the security patch for AWK-3131A

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: AWK-3131A, AWK-3131A: firmware. Apply the following compensating controls:

HARDENINGSegment the wireless AP onto a separate management network, isolated from operational control network traffic

CVEs (12)

CVE-2019-5136 CVE-2019-5137 CVE-2019-5138 CVE-2019-5139 CVE-2019-5140 CVE-2019-5141 CVE-2019-5142 CVE-2019-5143 CVE-2019-5148 CVE-2019-5153 CVE-2019-5162 CVE-2019-5165

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2d664afd-4b88-463a-9f3d-55d51fac2c50

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.