Moxa ioLogik E1200 Series and ioLogik E2200 Series Controllers and I/O Vulnerabilities

Monitor4iologik-e1200-series-and-iologik-e2200-series-controllers-and-io-vulnerabilitiesAug 19, 2016

Summary

Moxa ioLogik E1200 and E2200 Series Controllers contain multiple web interface vulnerabilities: 1. Stored XSS (CVE-2016-8359): An authenticated user can execute arbitrary code through the web console. 2. Unencrypted password transmission (CVE-2016-8372): Passwords are transmitted via HTTP GET requests without encryption. 3. Password truncation (CVE-2016-8379): Weak password storage allows brute-force attacks against simple passwords. 4. Missing CSRF protection (CVE-2016-8350): Attackers can force legitimate users to make unauthorized requests to the controller. These devices are remote I/O controllers commonly deployed in industrial networks for analog/digital signal acquisition and control.

What this means

What could happen

An attacker with network access to the web interface could intercept unencrypted credentials, execute commands on the device through authenticated XSS, or force an authenticated operator to unknowingly modify I/O configurations, potentially disrupting sensor readings or control outputs to critical processes.

Who's at risk

Water and electric utilities, manufacturing plants, and other facilities using Moxa ioLogik E1200 or E2200 remote I/O controllers for SCADA data acquisition, remote terminal units (RTUs), or fieldbus-to-Ethernet gateways. Any operator or technician with network access to the controller's web management interface is at risk.

How it could be exploited

An attacker on the same network can passively intercept HTTP traffic to capture admin credentials sent via GET requests (CVE-2016-8372), then use those credentials to log in and execute arbitrary code through stored XSS payloads in the web console (CVE-2016-8359). Alternatively, the attacker can send a malicious link to a logged-in operator; when clicked, it forces the controller to execute unauthorized commands via the missing CSRF protection (CVE-2016-8350).

Prerequisites

Network access to the web interface (typically HTTP port 80 or 443)
For XSS and CSRF exploitation: an authenticated user logged into the web console
For credential interception: traffic visibility on the network segment (no HTTPS)

remotely exploitableunencrypted credential transmissionweak password storage (truncation)no authentication required for password interceptionlow complexity attackno patch available

Exploitability

Low exploit probability (EPSS 0.6%)

Affected products (1)

ProductAffected VersionsFix Status

ioLogik E1200All versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGDisable or restrict HTTP web console access; require HTTPS for all management connections

HARDENINGImplement network segmentation: place ioLogik controllers on a separate VLAN with firewall rules allowing access only from authorized engineering workstations

HARDENINGRequire strong, complex passwords (minimum 16 characters, mixed case, numbers, symbols) to mitigate password truncation attacks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor web interface logs for suspicious login attempts, XSS payloads, or unusual configuration changes

Long-term hardening

0/1

WORKAROUNDIf replacement is feasible, migrate to newer Moxa controller models with patched firmware and built-in security hardening

CVEs (4)

CVE-2016-8359 CVE-2016-8372 CVE-2016-8379 CVE-2016-8350

View full Moxa Security advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5ad7ddb2-f7b8-4382-8f33-cbe059cc899e