OTPulse
FeedAboutContact

Moxa EDR-G902 and EDR-G903 Series Routers

Act Now9.8ICS-CERT ICSA-20-196-02Jul 14, 2020
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

A buffer overflow vulnerability in Moxa EDR-G902 and EDR-G903 series routers (firmware versions 5.4 and earlier) can be exploited remotely without authentication. Successful exploitation could crash the device or allow remote code execution. No patch is currently available from Moxa.

What this means
What could happen
A remote attacker could crash the Moxa router or execute arbitrary code on it, potentially disrupting network connectivity for connected industrial devices and allowing man-in-the-middle attacks on critical control traffic.
Who's at risk
Water utilities, electric utilities, and any OT environment that relies on Moxa EDR-G902 or EDR-G903 series routers for industrial network connectivity. These routers are commonly used to connect remote substations, pump stations, and other distributed control points back to the main network.
How it could be exploited
An attacker on the network can send a specially crafted packet to the router on its exposed interface that triggers a buffer overflow condition. This could crash the device, or with careful payload construction, achieve remote code execution to gain control of the router itself.
Prerequisites
  • Network reachability to the Moxa EDR-G902 or EDR-G903 router interface
  • No authentication required
  • Affected firmware version 5.4 or earlier
Remotely exploitableNo authentication requiredLow attack complexityCritical severityNo patch currently availableAffects network infrastructure critical to process continuity
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (2)
2 EOL
ProductAffected VersionsFix Status
EDR-G903 Series: firmware≤ 5.4No fix (EOL)
EDR-G902 Series: firmware≤ 5.4No fix (EOL)
Remediation & Mitigation
0/3
Do now
0/2
HARDENINGDo not expose Moxa EDR-G902 or EDR-G903 routers to untrusted networks, including the Internet; place them behind a firewall and isolate them on a dedicated control network segment
HARDENINGIf remote access to the router is required, use a VPN with the most current version available and enforce strong authentication
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXMonitor Moxa's security advisory page for firmware patches; apply patches as soon as they become available and your maintenance window permits
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/3756bf9d-2593-4fcb-9529-41a558200a74