Moxa Vulnerabilities Identified in MDS-G4028-L3 Series and EDS-G512E - SSH Prefix Truncation, EOL Nginx Software, and Weak SSL/TLS Key Exchange

Act NowCVSS 7.7MPSA-241044Nov 4, 2024

Moxa

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Moxa MDS-G4028-L3 series and EDS-G512E industrial network devices contain multiple vulnerabilities: (1) CVE-2023-48795 — SSH prefix truncation allows bypass of SSH integrity checks, enabling unauthorized command injection via malformed SSH packets; (2) Outdated Nginx component (versions affected by CVE-2021-23017, CVE-2021-3618, CVE-2019-20372) allowing HTTP request smuggling, cache poisoning, and certificate validation bypass; (3) Weak SSL/TLS key exchange on EDS-G512E enabling brute-force decryption of encrypted management traffic. The SSH and Nginx vulnerabilities can be exploited to inject unauthorized configuration changes or commands, while weak encryption compromises confidentiality of communications. All vulnerabilities are accessible over the network with no authentication required for exploitation in some attack paths.

What this means

What could happen

An attacker with network access to the MDS-G4028-L3 or EDS-G512E could intercept and forge SSH commands or HTTPS traffic, potentially injecting unauthorized configuration changes or data into the device. Weak encryption on EDS-G512E could allow attackers to decrypt sensitive management communications or monitored sensor data.

Who's at risk

Moxa industrial managed switches and gateways (MDS-G4028-L3 series and EDS-G512E) used in manufacturing, water treatment, power distribution, and other critical infrastructure environments where network-based remote access to device management is required. These devices typically handle network connectivity for PLCs, RTUs, and field sensors across industrial facilities.

How it could be exploited

An attacker could exploit SSH prefix truncation (CVE-2023-48795) to inject malicious commands into the device management interface by crafting specially formatted SSH packets that bypass integrity checks. Alternatively, the attacker could exploit outdated Nginx vulnerabilities to trigger HTTP request smuggling or cache poisoning, allowing them to bypass firewall rules or inject commands into the web interface. For EDS-G512E, weak SSL/TLS key exchange allows decryption of encrypted communications through brute-force attacks.

Prerequisites

Network access to SSH port (22) or HTTPS port (443) on the device
No authentication required for some attack vectors
Physical proximity or network routing to reach the device management interfaces

Remotely exploitable via SSH and HTTPSHigh EPSS score (73.5%)No fix available from vendorWeak encryption strength affects data confidentialityNetwork management interfaces vulnerable to command injectionAffects network infrastructure used in safety-critical systems

Exploitability

Likely to be exploited — EPSS score 73.2%

Public Proof-of-Concept (PoC) on GitHub (10 repositories)

Affected products (1)

ProductAffected VersionsFix Status

MDSAll versionsNo fix yet

Remediation & Mitigation

0/6

Do now

0/2

HARDENINGIsolate MDS-G4028-L3 and EDS-G512E devices from direct internet access using firewall rules that restrict inbound access to management ports (SSH port 22, HTTPS port 443) to authorized engineering workstations only

WORKAROUNDDisable SSH and HTTPS remote access on the devices if not required for operations; use local serial console or in-band management only

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HARDENINGPlace MDS and EDS devices on a dedicated, segregated network segment (VLAN) separate from general IT network and remote access points

HARDENINGConfigure VPN or jumphost-only access for any remote management of these devices; do not expose management interfaces directly to untrusted networks

HOTFIXContact Moxa support to determine if a firmware update addressing these vulnerabilities is available or planned for your specific device versions

Long-term hardening

0/1

HARDENINGMonitor SSH and HTTPS traffic to the devices for anomalous command patterns or requests that may indicate exploitation attempts

CVEs (4)

CVE-2023-48795 CVE-2021-23017 CVE-2021-3618 CVE-2019-20372

View full Moxa Security advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/501ff92f-59df-4fe0-a7d2-273fb040e03a

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.