Moxa SDS-3008 Series Multiple Vulnerabilities
Act Now6.9MPSA-248126Jun 19, 2024
Summary
SDS-3008 Series firmware v2.2 and prior contain vulnerabilities in an outdated jQuery library that allow Cross-site Scripting (XSS) attacks and prototype pollution. CVEs affected: CVE-2015-9251, CVE-2020-11022, CVE-2020-11023 (XSS), and CVE-2019-11358 (prototype pollution). An attacker can remotely inject HTML or JavaScript via the web interface, causing arbitrary code to execute in an operator's browser session. This could lead to theft of session tokens, credentials, and unauthorized modification of device settings such as port configurations, VLAN assignments, or network access policies. The prototype pollution vulnerability could be leveraged to inject malicious attributes that trigger secondary XSS attacks.
What this means
What could happen
An attacker could inject malicious code through the web interface of the SDS-3008 to steal data from users accessing the device or alter information displayed to operators. The prototype pollution vulnerability could be chained with other attacks to compromise device configuration or operator sessions.
Who's at risk
Water utilities and municipal electric providers using Moxa SDS-3008 Series managed Ethernet switches in their SCADA networks and RTU/PLC subnets should be concerned. The SDS-3008 is often deployed as a critical access point for remote management of distributed field equipment. Engineering staff and operators who access the device web interface to monitor network health or configure port settings are at direct risk of credential theft or unauthorized configuration changes.
How it could be exploited
An attacker could craft a malicious URL or web request containing JavaScript code and trick an operator into visiting it while logged into the SDS-3008 web interface. The vulnerable jQuery library would execute this code in the operator's browser, giving the attacker access to the operator's session, credentials, or ability to make unauthorized configuration changes. Alternatively, the attacker could inject malicious attributes via prototype pollution to trigger XSS payloads in dependent components.
Prerequisites
- Network access to the SDS-3008 web interface (HTTP/HTTPS port)
- A user (operator or engineer) must visit a malicious link or be socially engineered while their session is active on the device
- No credentials are required for the initial injection; user interaction is the key prerequisite
actively exploited (KEV)remotely exploitablerequires user interaction (social engineering)high EPSS score (36.9%)no patch availableaffects managed infrastructure that controls network access to safety-critical devices
Exploitability
Actively exploited — confirmed by CISA KEV
Affected products (1)
ProductAffected VersionsFix Status
SDS-3008All versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2HARDENINGIsolate the SDS-3008 from untrusted networks using a firewall rule that restricts web interface access to only authorized engineering workstations and management networks
WORKAROUNDDisable unnecessary web interface features or the web interface entirely if the device is managed exclusively through industrial protocols (Modbus, DNP3, etc.)
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXMonitor for any vendor firmware updates beyond v2.2; contact Moxa directly to request a patched version or extended support options
Mitigations - no patch available
0/2SDS-3008 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGImplement network segmentation to separate the SDS-3008 onto a restricted OT network with limited access from office networks and the internet
HARDENINGTrain operators not to click suspicious links when their SDS-3008 session is active and to log out after each session
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/e4c91cce-2026-4b2b-915c-f509408d9e9a