Moxa AWK-3131A Series Industrial AP/Bridge/Client

Act Now9.9ICS-CERT ICSA-20-063-04Mar 3, 2020

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

The Moxa AWK-3131A Series industrial wireless access point/bridge in firmware version 1.13 and earlier contains multiple vulnerabilities including command injection (CWE-78), buffer overflow (CWE-120, CWE-121), hardcoded credentials (CWE-798), and improper authentication (CWE-288, CWE-284). Successful exploitation with valid login credentials allows remote arbitrary code execution with device privileges, potentially compromising network integrity and control system communications.

What this means

What could happen

An attacker with login credentials could execute arbitrary code on this wireless AP/bridge, potentially gaining control over your network connectivity, intercepting traffic, or disrupting communications to remote RTUs, pumps, or other field devices.

Who's at risk

Manufacturing plants and utilities that use Moxa AWK-3131A wireless access points or bridges for remote site connectivity, including water and electric facilities deploying wireless links to pump stations, substations, or remote telemetry equipment.

How it could be exploited

An attacker with valid login credentials connects to the device via the network or web interface, then exploits one of several memory corruption or command injection flaws (CWE-78, CWE-120, CWE-121) to run arbitrary commands with device privileges. This could be leveraged to modify network routes, inject traffic, or use the AP as a pivot point into your control network.

Prerequisites

Valid login credentials (engineering or admin account)
Network access to the device management interface (web UI or SSH)
Device running firmware version 1.13 or earlier

remotely exploitablerequires valid credentialsmultiple memory corruption and command injection flawsno fix currently available

Exploitability

Moderate exploit probability (EPSS 5.8%)

Affected products (1)

ProductAffected VersionsFix Status

AWK-3131A: firmware≤ 1.13No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict network access to the AWK-3131A management interface using firewall rules or access control lists; allow only authorized engineering workstations or VPN gateways

HARDENINGChange default or factory-set credentials on all Moxa wireless devices to strong, unique passwords

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXContact Moxa technical support to obtain the security patch for AWK-3131A

Mitigations - no patch available

0/1

AWK-3131A: firmware has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGSegment the wireless AP onto a separate management network, isolated from operational control network traffic

CVEs (12)

CVE-2019-5136 CVE-2019-5137 CVE-2019-5138 CVE-2019-5139 CVE-2019-5140 CVE-2019-5141 CVE-2019-5142 CVE-2019-5143 CVE-2019-5148 CVE-2019-5153 CVE-2019-5162 CVE-2019-5165

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2d664afd-4b88-463a-9f3d-55d51fac2c50