Moxa Multiple UC Series IPC SSH Vulnerability
Act Now5.9MPSA-247816Jun 20, 2024
Summary
CVE-2023-48795 affects Moxa UC Series IPCs. The vulnerability stems from insufficient integrity checks on SSH handshake packets, allowing an attacker positioned between an SSH client and server to omit negotiation messages and force downgrade or disable security features without detection. This may permit authentication bypass. The vulnerability requires network access to intercept traffic but no user credentials or authentication to exploit.
What this means
What could happen
An attacker positioned on the network between an SSH client and a Moxa UC Series IPC could intercept and alter SSH handshake messages, bypassing authentication and gaining unauthorized access to the device. This could allow an attacker to access engineering functions and alter equipment configuration or operation.
Who's at risk
Water and electric utilities using Moxa UC Series IPCs for supervisory control, data logging, or remote monitoring should assess their exposure. These devices are commonly deployed as edge gateways in SCADA/ICS networks and remote terminal units (RTUs). Risk is highest if UC Series devices are accessible from untrusted network segments or if remote engineering access is required.
How it could be exploited
The attacker performs a man-in-the-middle attack on the SSH connection during the initial handshake phase. By omitting or modifying negotiation messages, the attacker forces the SSH session to downgrade security features (such as encryption or authentication checks) without either endpoint detecting the tampering. Once authentication is bypassed, the attacker can log in and issue commands as a legitimate user.
Prerequisites
- Network position allowing man-in-the-middle interception between SSH client and UC Series IPC (e.g., shared network segment, compromised router, ARP spoofing capability)
- SSH connection attempt from a client to the affected UC Series device
remotely exploitableno authentication required (after bypass)low complexity required for mitigation but exploitation requires network positionhigh EPSS score (65.4%)no patch availableaffects control system management interfaces
Exploitability
High exploit probability (EPSS 65.4%)
Affected products (1)
ProductAffected VersionsFix Status
UC SeriesAll versionsNo fix yet
Remediation & Mitigation
0/6
Do now
0/3HARDENINGIsolate UC Series IPCs on a restricted network segment or VLAN accessible only to authorized engineering workstations and control systems
WORKAROUNDImplement SSH access controls: restrict SSH port (22) access via firewall rules to only known engineering workstation IP addresses
HARDENINGMonitor for and block ARP spoofing attempts on the network segment where UC Series devices are located
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
WORKAROUNDDisable SSH on UC Series IPCs if not actively required for remote engineering or management
HARDENINGUse a VPN or jump host (bastion) for any remote SSH access to UC Series devices instead of direct network connectivity
Long-term hardening
0/1HARDENINGMonitor SSH connection logs on UC Series devices for failed or unusual authentication attempts
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/2cf06545-1d87-46d7-9c75-6272e925aef1