OTPulse
FeedAboutContact

Moxa MGate MB3000 Series, MGate 5100 Series, and MGate W5000 Series Protocol Gateway Vulnerabilities

Low Risk1mgate-mb3000-5100-series-w5000-protocol-gateway-vulnerabilitiesJun 1, 2016
Summary

A vulnerability in Moxa MGate MB3000, MGate 5100, and MGate W5000 Series Protocol Gateways allows authentication bypass through brute force discovery of a static Call ID from a cookie (CWE-287, CVE-2016-5804). An attacker could use this to bypass authentication mechanisms on the gateway.

What this means
What could happen
An attacker could bypass authentication on the protocol gateway and gain unauthorized access to configure communication settings, potentially disrupting Modbus TCP/IP communication between your SCADA systems and field devices.
Who's at risk
Water utilities and electric utilities operating Moxa MGate protocol gateways for Modbus TCP/IP communication between their SCADA systems, RTUs, and field devices. Organizations using these gateways for historian data collection or remote equipment monitoring.
How it could be exploited
An attacker with network access to the MGate gateway's management interface could repeatedly attempt different Call ID values derived from session cookies to bypass authentication. Once authenticated, they could modify gateway configuration, alter routing rules, or disconnect critical device communications.
Prerequisites
  • Network access to the MGate gateway management interface (typically port 80/443 or proprietary port)
  • Ability to capture or observe session cookies from legitimate users
  • Access to attempt multiple authentication requests without rate limiting
Remotely exploitableLow authentication complexityLegacy protocol gateway (no fix available)Default or weak security configurations common in older gateways
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (1)
ProductAffected VersionsFix Status
MGate MB3000All versionsNo fix (EOL)
Remediation & Mitigation
0/6
Do now
0/2
HARDENINGImplement network-level access controls: restrict management interface access to authorized engineering workstations only using firewall rules and IP whitelisting
WORKAROUNDDisable remote management interface access if not actively used; configure the gateway for local management only
Schedule — requires maintenance window
0/3

Patching may require device reboot — plan for process interruption

HARDENINGEnable VPN or jump-host access to the gateway instead of direct network exposure
HARDENINGImplement session timeout and rate limiting at the network edge if the gateway does not support these natively
HARDENINGMonitor authentication attempts to the gateway for unusual brute force patterns
Mitigations - no patch available
0/1
MGate MB3000 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGSegment the MGate gateway on a separate network from production SCADA systems to limit the scope of authentication bypass impact
View full Moxa Security advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/61ea889f-9461-462d-9bac-ec42d0a9d647
Moxa MGate MB3000 Series, MGate 5100 Series, and MGate W5000 Series Protocol Gateway Vulnerabilities | CVSS 1 - OTPulse