Moxa Moxa’s Response Regarding XZ Containing Malware/Backdoor (CVE-2024-3094)

Act NowMPSA-243094Apr 30, 2024

Summary

Malicious code was discovered in upstream xz tarballs starting with version 5.6.0. The liblzma build process extracts a prebuilt object file from a disguised test file in the source code and uses it to modify specific functions in liblzma. This results in a compromised library that intercepts and modifies data interactions for any software linked against it.

What this means

What could happen

Any Moxa product or system linked against the compromised xz/liblzma library (versions 5.6.0 and later) could be backdoored, allowing an attacker to intercept, modify, or exfiltrate data passing through that library—potentially affecting remote access, configuration management, or monitoring communications.

Who's at risk

Water utilities, electric utilities, and other facilities using Moxa networking or industrial communication products should assess whether their systems are linked against xz 5.6.0 or later. This affects remote access gateways, managed switches, data acquisition devices, and any Moxa equipment compiled with the affected xz library versions. The risk is particularly high if Moxa products were built or updated between late 2023 and early 2024 when malicious xz versions were in circulation.

How it could be exploited

An attacker would need to compromise the software supply chain or trick a user into building/installing Moxa software linked against xz versions 5.6.0 or later. Once deployed, the backdoor in liblzma would silently intercept function calls, allowing data manipulation or command execution on affected devices without triggering normal authentication checks.

Prerequisites

Target system must have xz library version 5.6.0 or later installed or linked into affected software
Attacker must either control the source distribution or compromise the build environment during software compilation

Supply chain compromise / malicious code in upstream libraryHigh EPSS score (85.6%)Affects all versions linked against xz 5.6.0+No patch available from Moxa at this timeData interception and modification capability

Exploitability

High exploit probability (EPSS 85.6%)

Affected products (1)

ProductAffected VersionsFix Status

Moxa’s Response Regarding XZ Containing Malware/Backdoor (CVE-2024-3094)All versionsNo fix yet

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGIdentify all systems and products using xz library version 5.6.0 or later (check installed dependencies and linked libraries)

WORKAROUNDDowngrade xz library to version 5.4.x or earlier if currently on 5.6.0 or later

HARDENINGVerify integrity of all Moxa software builds and installations; reinstall from trusted, verified sources if xz 5.6.0+ was present during original installation

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXContact Moxa to determine which products and versions are affected and when patched versions will be available

Long-term hardening

0/1

HARDENINGImplement network segmentation to limit lateral movement if a Moxa device is compromised

CVEs (1)

CVE-2024-3094

View full Moxa Security advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/230c2138-c2eb-4d2f-b8c8-df8750ae71e7