Moxa ioLogik 2542-HSPA Series Controllers and I/Os, and IOxpress Configuration Utility Vulnerabilities
Low Risk3iologik-2542-hspa-series-ioxpress-vulnerabilitiesSep 25, 2019
Summary
Moxa ioLogik 2542-HSPA Series Controllers and I/Os and the IOxpress Configuration Utility contain three security weaknesses: (1) configuration files use weak or no encryption (CVE-2018-18238, CVE-2020-7003), allowing disclosure of sensitive information if an attacker obtains the file; (2) frequent requests to the web server interface can cause denial of service (CVE-2019-18242), making the device unresponsive to legitimate management commands. All versions of the ioLogik 2542-HSPA are affected and no firmware patch is available from the vendor.
What this means
What could happen
An attacker who obtains the device configuration file could extract sensitive information such as credentials or network settings. Additionally, an attacker could send repeated requests to the web server interface, causing it to become unresponsive and disrupting remote monitoring and configuration of the controller.
Who's at risk
Energy sector operators responsible for remote I/O controllers and data acquisition devices, particularly those running Moxa ioLogik 2542-HSPA Series controllers for distributed monitoring and control in substations, generation facilities, or transmission/distribution networks where configuration management and device availability are critical.
How it could be exploited
An attacker would need to either intercept or gain access to the unencrypted configuration file (stored or in transit) to extract credentials and sensitive settings, or send a high volume of rapid requests to the device's web server port to trigger a denial-of-service condition. Both attacks could be performed from within your network if the device is accessible.
Prerequisites
- Network access to the device web server port (typically port 80 or 443)
- Ability to obtain or intercept configuration files (requires local file system access or network interception)
- No authentication required for web server denial-of-service attack
No patch availableLow CVSS score (3.0) but affects device availability and credential protectionWeak cryptographic algorithms and cleartext storage of credentials in configuration files
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (1)
ProductAffected VersionsFix Status
ioLogik 2542-HSPAAll versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2WORKAROUNDDeploy firewall rules to block or rate-limit HTTP/HTTPS requests to the device web server from untrusted network segments
HARDENINGRotate any credentials that may have been stored in unencrypted configuration files
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
HARDENINGImplement network segmentation to restrict access to ioLogik 2542-HSPA controllers to only authorized engineering workstations and management networks
HARDENINGProtect configuration files by storing them in encrypted form and transmitting them only over secure, authenticated channels
HARDENINGMonitor device web server logs for unusual request patterns that may indicate denial-of-service attempts
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/2fe8499c-ca06-40ef-abc1-4e042ffc1646