Moxa EDS-4000/G4000 Series IP Forwarding Vulnerability
Low Risk1MPSA-237129Feb 26, 2024
Summary
The Moxa EDS-4000/G4000 Series switches (all versions prior to 3.2) have IP forwarding enabled by default and users cannot disable this capability. An attacker with network access and low-privilege credentials can exploit this to forward traffic through the device to other systems, bypassing access controls and masking the origin of requests. This is a Confused Deputy vulnerability (CWE-441) affecting CVE-2024-0387, with a CVSS score of 6.5.
What this means
What could happen
An attacker with network access to the EDS-4000/G4000 could use the device as a proxy to forward traffic to other systems on your network, potentially bypassing firewall rules and hiding the origin of malicious requests. This could allow reconnaissance of internal devices or relay of attacks through your legitimate equipment.
Who's at risk
Water authorities and municipal utilities operating Moxa EDS-4000 or G4000 series managed Ethernet switches for network monitoring, remote I/O, or industrial control system connectivity should assess exposure. These devices are commonly used to bridge OT networks (SCADA, RTUs, PLCs) with IT systems. The vulnerability affects any deployment where the switch has network paths to critical systems.
How it could be exploited
An attacker on the network sends a crafted request to the EDS-4000/G4000 that the device forwards on to an internal target system. Because the request appears to originate from the trusted Moxa switch rather than the attacker, it may bypass access controls on the target. The attacker can also hide their identity while probing or attacking other devices.
Prerequisites
- Network access to the EDS-4000/G4000 device
- Valid credentials for at least the user role (PR:L indicates low-privilege account required)
IP forwarding cannot be disabledNo vendor patch availableRequires valid user credentials to exploitLow CVSS but persistent design flawCould enable lateral movement in network
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (1)
ProductAffected VersionsFix Status
EDS-4000/G4000All versionsNo fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1WORKAROUNDConfigure firewall rules or access control lists to block the EDS-4000/G4000 from forwarding traffic to critical internal systems and sensitive network ranges.
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGEnforce strong credentials and restrict accounts with access to the device. Disable or remove any unnecessary user accounts.
Mitigations - no patch available
0/2EDS-4000/G4000 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGIsolate EDS-4000/G4000 devices on a restricted management network segment that does not bridge to production equipment or other critical systems. Limit IP forwarding scope using network segmentation.
HARDENINGMonitor network traffic from the EDS-4000/G4000 for unexpected proxy or forwarding activity. Alert on connections initiated from the device to internal systems outside normal operations.
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/3aaa4767-08f4-4bb4-833c-48d1f7de4a6c