Moxa EDS-405A/408A Series Multiple Web Vulnerabilities
Plan Patch8.2MPSA-154603Jun 27, 2024
Summary
Moxa EDS-405A and EDS-408A industrial ethernet switches contain three web server vulnerabilities in versions 3.5 and earlier (EDS-405A) and 3.6 and earlier (EDS-408A). The vulnerabilities include improper privilege management (CVE-2015-6464) allowing privilege escalation with authentication, uncontrolled resource exhaustion (CVE-2015-6465) in the embedded GoAhead web server enabling denial-of-service attacks with authentication, and improper input neutralization (CVE-2015-6466) in the administrative web interface allowing unauthenticated cross-site scripting (XSS) injection. An attacker could send crafted HTTP input to exploit these flaws, potentially leading to denial-of-service, remote code execution, and privilege escalation.
What this means
What could happen
An attacker could disrupt switch operations through denial-of-service, escalate to administrative access if authenticated, or inject malicious scripts into the web interface to compromise management traffic or redirect configuration changes on your industrial network.
Who's at risk
Water utilities and electric utilities using Moxa EDS-405A or EDS-408A industrial ethernet switches for network connectivity in SCADA systems, remote terminal units (RTUs), and substation automation equipment should evaluate their exposure. These switches are commonly deployed in distribution automation, pumping stations, and generation facilities where network availability is critical to operations.
How it could be exploited
An unauthenticated attacker could craft malicious HTTP input containing JavaScript code to exploit the XSS vulnerability and inject commands into the web interface. An authenticated attacker could send specially crafted input to trigger privilege escalation or exhaust server resources, causing the switch management interface to become unavailable and disrupting network monitoring and control.
Prerequisites
Network access to the web management interface (TCP port 80/443)
Authentication credentials required for privilege escalation (CVE-2015-6464) and denial-of-service (CVE-2015-6465) exploitation
No authentication required for XSS attack (CVE-2015-6466) if the administrative interface is accessible from your network
Remotely exploitable (all three CVEs)No patch available - end-of-life productUncontrolled resource exhaustion can disable switchXSS exploitable without authenticationAffects network infrastructure critical to water/power operationsLow technical complexity to exploit (particularly XSS)Multiple vulnerability types in same device
Exploitability
Moderate exploit probability (EPSS 1.5%)
Affected products (1)
ProductAffected VersionsFix Status
EDS-405A/408AAll versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2
WORKAROUNDImplement firewall rules to restrict access to the web management interface (ports 80/443) to authorized engineering workstations and management networks only.
WORKAROUNDDisable the web management interface if management is performed out-of-band or through separate management networks; use serial console or SNMP only.
Schedule — requires maintenance window
0/1
Patching may require device reboot — plan for process interruption
HOTFIXReplace or upgrade EDS-405A/408A switches to supported hardware with current firmware. Moxa has not released patches for these vulnerabilities.
Mitigations - no patch available
0/2
EDS-405A/408A has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGSegment industrial switches onto separate VLANs or network zones to limit an attacker's ability to reach the web interface from the operational network.
HARDENINGImplement intrusion detection or network monitoring to detect unusual HTTP traffic patterns targeting the switch management interface.