Moxa PT-G503 Series Multiple Vulnerabilities

Act NowCVSS 5MPSA-230203Jan 5, 2024

Moxa

Summary

Moxa PT-G503 Series firmware v5.2 and earlier contain five security vulnerabilities: Cross-site Scripting (XSS) from outdated jQuery (CVE-2015-9251, CVE-2020-11022, CVE-2020-11023), prototype pollution via jQuery (CVE-2019-11358), weak cipher suites allowing decryption (CVE-2005-4900), and improperly configured session cookies that lack HttpOnly and Secure flags (CVE-2023-4217, CVE-2023-5035). These flaws allow remote attackers to insert malicious code into the web interface, inject attributes into objects, decrypt traffic, or intercept session data without authentication or with minimal complexity. No fixed version is currently available.

What this means

What could happen

An attacker could inject malicious code into the web interface to steal session credentials, manipulate device configuration, or intercept sensitive data. Compromised web access to the PT-G503 could allow unauthorized changes to network routing or tunnel policies.

Who's at risk

Water utilities and municipalities operating Moxa PT-G503 industrial gateways for network bridging or protocol conversion should prioritize this. The PT-G503 is often deployed at SCADA network boundaries and remote sites to extend network reach. Compromise could expose routing decisions and network topology to attackers.

How it could be exploited

An attacker sends a crafted HTTP request containing JavaScript or HTML to the PT-G503 web interface. If an authenticated user accesses the page, the injected code executes in their browser and can steal their session cookie or credentials. Alternatively, weak cipher suites allow an attacker on the network to decrypt communications, or unprotected cookies can be transmitted over plaintext HTTP.

Prerequisites

Network access to the PT-G503 web interface (port 80/443)
User interaction: an authenticated administrator must visit a malicious link or page containing the payload
Device must be running firmware v5.2 or earlier

Remotely exploitableActively exploited (KEV)High EPSS score (36.9%)No patch availableUser interaction required for XSS attacksMultiple vulnerability types

Exploitability

Actively exploited — confirmed by CISA KEV

Public Proof-of-Concept (PoC) on GitHub (10 repositories)

Affected products (1)

ProductAffected VersionsFix Status

PT-G503All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict network access to the PT-G503 web interface using firewall rules; limit access to trusted engineering workstations only

HARDENINGDisable or remove direct internet-facing access to the PT-G503 web console; place the device on a protected management network

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade PT-G503 firmware to a version newer than v5.2 when available from Moxa

HARDENINGUse HTTPS only for web management; disable HTTP access to the device

CVEs (7)

CVE-2015-9251 CVE-2020-11022 CVE-2019-11358 CVE-2005-4900 CVE-2023-4217 CVE-2023-5035 CVE-2020-11023

View full Moxa Security advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/cb30d6d3-ea1e-4422-b5b6-55f90a539a50

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.