Moxa MGate Protocol Gateways

Act Now9.8ICS-CERT ICSA-21-357-01Dec 23, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Moxa MGate MB3000 Series protocol gateways contain a vulnerability that allows remote attackers to obtain sensitive information. The vulnerability affects MGate MB3280, MB3180, and MB3480 series devices running firmware versions 4.1 or earlier, 2.2 or earlier, and 3.2 or earlier respectively. Attackers can exploit this without authentication or user interaction.

What this means

What could happen

An attacker could remotely access sensitive information from your MGate gateway, potentially exposing device configuration, network topology, or authentication credentials used for protocol bridging and data communication.

Who's at risk

Water utilities, electrical utilities, and manufacturing plants using Moxa MGate MB3000 series gateways for Modbus/TCP, EtherNet/IP, or other legacy protocol bridging. The devices typically sit at the boundary between operational technology networks and corporate IT networks, making this a critical exposure point.

How it could be exploited

An attacker on the network can send HTTP requests to the MGate gateway's console function (default unencrypted HTTP). The gateway exposes sensitive data in responses without requiring authentication. By disabling HTTP in favor of HTTPS, the communication is encrypted and the attack surface is reduced.

Prerequisites

Network access to the MGate gateway's HTTP console port (typically 80)
HTTP console function enabled (default configuration)

Remotely exploitableNo authentication requiredLow complexity attackNo vendor patch availableEnd-of-life product statusSits at OT/IT network boundary

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (3)

3 EOL

ProductAffected VersionsFix Status

MGate MB3280 Series: Firmware≤ 4.1No fix (EOL)

MGate MB3180 Series: Firmware≤ 2.2No fix (EOL)

MGate MB3480 Series: Firmware≤ 3.2No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDEnable HTTPS and disable the HTTP console function under Console Settings

HARDENINGEnsure MGate devices are not directly accessible from the Internet

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGRefer to Moxa Security Hardening Guide for MGate MB3000 Series for additional configuration guidance

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: MGate MB3280 Series: Firmware, MGate MB3180 Series: Firmware, MGate MB3480 Series: Firmware. Apply the following compensating controls:

HARDENINGIsolate MGate gateway devices from the business network behind firewalls

CVEs (1)

CVE-2021-4161

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a2a69a12-a09a-4e32-8a6a-4f4dbe3256ab