OTPulse

Moxa Multiple Moxa Ethernet Switches Affected by CVE-2023-48795 and CVE-2019-20372

Act NowCVSS 5.9MPSA-244252Nov 1, 2024
Moxa
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary

Multiple Moxa Ethernet switches are affected by two vulnerabilities: CVE-2023-48795 (improper validation of integrity check values) and CVE-2019-20372 (HTTP request/response smuggling). CVE-2023-48795 allows a remote man-in-the-middle attacker to bypass integrity checks and downgrade connection security, potentially modifying network traffic in transit. CVE-2019-20372 allows HTTP request smuggling to the web management interface, enabling unauthorized access to web pages, bypassing security controls, and potential for further attacks. Both vulnerabilities are remotely exploitable without authentication. No firmware patches are available from Moxa for affected switch models.

What this means
What could happen
An attacker could intercept and modify network traffic between your Moxa switch and connected devices (CVE-2023-48795), or exploit HTTP request smuggling to bypass web interface security controls and gain unauthorized access to switch management functions (CVE-2019-20372). This could allow unauthorized changes to network configuration or traffic routing in your plant network.
Who's at risk
Water utilities and power facilities relying on Moxa Ethernet switches for plant network infrastructure. Industrial facilities using Moxa switches for remote I/O, VLAN segmentation, or network-based device connectivity in SCADA/HMI systems. Any site with Moxa switches providing Layer 2/3 connectivity in the OT network where unauthorized reconfiguration could disrupt process monitoring or control.
How it could be exploited
An attacker positioned on the network path between the switch and connected devices could intercept unencrypted management traffic and forge integrity check values to modify commands without detection. Alternatively, an attacker could send crafted HTTP requests to the switch's web interface to bypass authentication or access restricted management pages, potentially reconfiguring network settings or gathering sensitive information about network topology.
Prerequisites
  • Network access to the Moxa switch (Layer 2 or 3 adjacency, or man-in-the-middle capability on the network path)
  • For CVE-2019-20372: access to the web management interface (TCP port 80/443, depending on configuration)
  • For CVE-2023-48795: ability to intercept and modify transit traffic
remotely exploitableno authentication required for CVE-2019-20372high EPSS score (69.7%)no patch availableaffects network infrastructure critical to OT operations
Exploitability
Likely to be exploited — EPSS score 70.8%
Public Proof-of-Concept (PoC) on GitHub (6 repositories)
Affected products (1)
ProductAffected VersionsFix Status
Multiple Moxa Ethernet Switches Affected by CVE-2023-48795 and CVE-2019-20372All versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/3
HARDENINGRestrict network access to the Moxa switch management interface using firewall rules or access control lists. Allow web management access only from a trusted engineering workstation or jump server, not from general plant networks.
WORKAROUNDDisable the web-based management interface (HTTP/HTTPS) if management is not required or if you can use SSH/Telnet console access instead. This eliminates the attack surface for CVE-2019-20372.
WORKAROUNDContact Moxa technical support to confirm your specific switch models and firmware versions, and inquire about any vendor-issued workarounds or security advisories for CVE-2023-48795 and CVE-2019-20372.
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HARDENINGEnable encrypted management protocols (SSH/TLS) for all switch communications if supported by your Moxa model. Disable unencrypted management access (HTTP, Telnet) to prevent traffic interception attacks.
Mitigations - no patch available
0/1
Multiple Moxa Ethernet Switches Affected by CVE-2023-48795 and CVE-2019-20372 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate the Moxa switch's management traffic on a separate VLAN or protected management network, separate from production OT traffic.
View full Moxa Security advisory
API: /api/v1/advisories/e6b6626a-6ee4-4df3-8806-e785f7a1e21d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Moxa Multiple Moxa Ethernet Switches Affected by CVE-2023-48795 and CVE-2019-20372 | CVSS 5.9 - OTPulse