OTPulse
FeedAboutContact

Moxa ioPAC 8500 and ioPAC 8600 Series (IEC Models) Controllers Vulnerabilities

Monitor4iopac-8500-and-iopac-8600-series-iec-models-controllers-vulnerabilitiesDec 1, 2021
Summary

Moxa ioPAC 8500 and 8600 Series (IEC models) rugged modular programmable controllers contain multiple vulnerabilities: (1) Relative path traversal (CVE-2020-25176) allows unauthenticated remote attackers to traverse the application directory, potentially leading to remote code execution; (2) Cleartext transmission of sensitive information (CVE-2020-25178) enables remote attackers to upload, read, and delete files unencrypted; (3) Hard-coded cryptographic key (CVE-2020-25180) allows unauthenticated remote attackers to pass their own encrypted password to the ISaGRAF 5 Runtime, resulting in information disclosure; (4) Unprotected storage of credentials (CVE-2020-25184) allows unauthenticated on-site attackers to compromise user passwords.

What this means
What could happen
An attacker could execute arbitrary code on the controller, upload malicious programs to the PLC, or steal engineering credentials and configuration data. This could allow an attacker to modify process setpoints, disable safety interlocks, or shut down operations at a water treatment plant or electrical substation.
Who's at risk
Water utilities, electrical distribution operators, and other critical infrastructure facilities using Moxa ioPAC 8500 or 8600 Series (IEC models) controllers for process control, SCADA data acquisition, or programmable automation logic are affected. These rugged controllers are commonly deployed in remote water treatment plants, electrical substations, and pump stations.
How it could be exploited
An attacker on the network can craft a relative path traversal request to the web interface to reach sensitive files. Alternatively, the attacker can intercept unencrypted file transfer traffic to read or modify configuration and code files. If on-site, the attacker can extract plaintext credentials from the device storage. Once credentials are obtained, the attacker can authenticate and upload malicious IEC 61131-3 programs or execute commands.
Prerequisites
  • Network access to the ioPAC web interface (typically port 80/443)
  • Physical access to the device to recover plaintext credentials from storage (CVE-2020-25184)
  • No authentication required for path traversal, cleartext file transfer, and hardcoded key exploitation
Remotely exploitable (path traversal and cleartext transmission)No authentication required for multiple vulnerabilitiesLow complexity exploitationNo patch available from vendorAffects critical control devices (PLCs)Hard-coded credentials enable persistence
Exploitability
Moderate exploit probability (EPSS 2.6%)
Affected products (1)
ProductAffected VersionsFix Status
ioPAC 8500 and ioPAC 8600 Series (IEC Models) Controllers VulnerabilitiesAll versionsNo fix (EOL)
Remediation & Mitigation
0/6
Do now
0/2
WORKAROUNDRestrict network access to the ioPAC 8500/8600 web interface and file transfer services using firewall rules; allow only authorized engineering workstations
WORKAROUNDDisable or restrict remote file transfer capabilities (e.g., FTP) if not required for operations; use encrypted alternatives (SFTP) if available
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXContact Moxa for security updates or alternative products; evaluate migration path if patches are not available
Mitigations - no patch available
0/3
ioPAC 8500 and ioPAC 8600 Series (IEC Models) Controllers Vulnerabilities has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate ioPAC controllers from untrusted networks
HARDENINGMonitor and log all access to the ioPAC web interface and file operations for suspicious activity
HARDENINGReview and regularly audit stored credentials on the device; rotate all engineering passwords
View full Moxa Security advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/bb040687-8aac-4989-af9f-a3b603239562