Moxa Multiple Vulnerabilities in MXview One and MXview One Central Manager Series
Monitor6.8MPSA-240735Sep 21, 2024
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
Three vulnerabilities in Moxa MXview One and MXview One Central Manager affect all versions. CVE-2024-6785: Configuration files store credentials in cleartext, allowing local attackers to read and modify them, exposing service credentials. CVE-2024-6786: MQTT protocol allows path traversal attacks to read arbitrary files including configuration files and JWT signing secrets. CVE-2024-6787: A race condition in file operations allows attackers to write arbitrary files to the system, enabling code execution. All three require either local system access or authenticated MQTT network access. Vendor has not released a fix and no updates are planned.
What this means
What could happen
An attacker with local or remote access to MXview One could steal credentials and configuration secrets from cleartext storage, or read arbitrary files and write malicious files to the system via MQTT, potentially allowing code execution and disruption of industrial network monitoring and management functions.
Who's at risk
Water utilities, electric utilities, and other critical infrastructure operators using Moxa MXview One or MXview One Central Manager series for industrial network monitoring, device management, and SCADA gateway management should be concerned. These products are commonly deployed to centralize visibility and control over distributed industrial equipment (switches, routers, remote I/O, PLCs) across multiple facilities.
How it could be exploited
An attacker with local credentials or remote MQTT access can craft messages to traverse the file system (CVE-2024-6786), read sensitive configuration files and secrets, and exploit a race condition (CVE-2024-6787) to write arbitrary files including malicious code. Local attackers can also directly read cleartext credentials stored in configuration files (CVE-2024-6785).
Prerequisites
- Local system access OR network access to MQTT service port (default 1883/8883)
- Valid user credentials for local access or authenticated MQTT session
- Knowledge of file paths or ability to enumerate system structure via path traversal
Remotely exploitable via MQTT protocolAuthentication required but uses standard credentialsLow complexity exploitation (path traversal and race condition)No patch available from vendorAffects industrial network management and monitoring systems
Exploitability
Low exploit probability (EPSS 0.5%)
Affected products (1)
ProductAffected VersionsFix Status
MXview One and MXview One Central Manager SeriesAll versionsNo fix (EOL)
Remediation & Mitigation
0/6
Do now
0/3HARDENINGRestrict network access to the MQTT broker port (1883/8883) to only authorized engineering workstations and management networks using firewall rules
WORKAROUNDDisable MQTT if not required for operations, or restrict MQTT connections to local network only
HARDENINGEnforce strong credentials for any local user accounts on MXview One systems
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HARDENINGReview and rotate any credentials stored in or referenced by MXview One configuration files
HARDENINGImplement file integrity monitoring on MXview One system directories to detect unauthorized file writes
Mitigations - no patch available
0/1MXview One and MXview One Central Manager Series has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGIsolate MXview One and MXview One Central Manager on a dedicated management VLAN separate from production OT networks
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/d813adc1-5031-4ab6-8914-8bef4760657b