Moxa ioLogik E1200 Series Web Server Vulnerability

Plan PatchCVSS 8.8MPSA-235250Dec 23, 2023

Moxa

Summary

Two web application vulnerabilities have been identified in ioLogik E1200 Series firmware v3.3 and prior: CVE-2023-5961 (CVSS 8.8): Cross-Site Request Forgery (CSRF) vulnerability allows an attacker to trick a logged-in user into making unintentional requests to the web server, which are treated as authentic. An attacker can perform operations on behalf of the victim without their knowledge. CVE-2023-5962 (CVSS 6.5): Use of a broken or risky cryptographic algorithm compromises the confidentiality of sensitive data. This vulnerability allows an attacker to obtain unauthorized access with valid credentials.

What this means

What could happen

An attacker could trick a web interface user into unwittingly changing device settings or configuration (CVE-2023-5961), or could decrypt sensitive communications and credentials using weak cryptography (CVE-2023-5962). Either attack could disrupt I/O logging operations or expose credentials for lateral movement.

Who's at risk

This affects water authorities and utilities running ioLogik E1200 remote terminal units (RTUs) or data acquisition devices. These devices collect and log input/output (I/O) data from sensors and field devices across water treatment, distribution, wastewater, and electrical substations. An administrator or operator using the web interface to manage or monitor the E1200 is at risk.

How it could be exploited

For CVE-2023-5961, an attacker crafts a malicious webpage or email link that a logged-in device administrator visits; the user's browser automatically sends an authenticated request to the E1200 web interface to change settings. For CVE-2023-5962, an attacker with network access can intercept encrypted credentials or communications using weak cryptographic algorithms and decrypt them offline.

Prerequisites

Network access to the E1200 web interface (port 80/443)
For CVE-2023-5961: A device administrator must be logged into the web interface and visit an attacker-controlled website
For CVE-2023-5962: Valid credentials or ability to observe encrypted communications on the network

Remotely exploitable (CVE-2023-5961)No authentication required for CSRF attack (CVE-2023-5961)Low complexity attackNo patch available yetAffects data confidentiality and device configuration

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Public Proof-of-Concept (PoC) on GitHub (1 repository)

Affected products (1)

ProductAffected VersionsFix Status

ioLogik E1200All versionsNo fix yet

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDRestrict network access to the E1200 web interface using a firewall; only allow administrative workstations and automation systems

HARDENINGUse a VPN or jump host (bastion) for remote administration of the E1200; do not expose the web interface directly to untrusted networks

HARDENINGRequire strong, unique passwords for all E1200 web interface accounts

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade ioLogik E1200 firmware to version 3.3 or later when available

WORKAROUNDDisable the E1200 web interface if it is not needed for your operation; manage the device through serial console or secure network segment only

CVEs (2)

CVE-2023-5961 CVE-2023-5962

View full Moxa Security advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/bd5bd5a4-2a68-431f-8180-fdd1ff127b2a

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.