Moxa CVE-2026-0714, CVE-2026-0715: Multiple Vulnerabilities in Industrial Computers

MonitorCVSS 7MPSA-255121Feb 6, 2026

MoxaManufacturing

Summary

Two vulnerabilities in Moxa industrial computers: CVE-2026-0714 is a physical attack on TPM-backed LUKS full-disk encryption where an attacker with device disassembly capability and SPI bus interception equipment can capture TPM communications to potentially decrypt the eMMC storage offline. This requires invasive access, specialized equipment, extended time, and cannot be performed remotely. CVE-2026-0715 involves a device-unique bootloader password provided on the device that allows physical access via serial interface to enter the bootloader menu, but firmware signature verification prevents malicious code execution; the only impact is potential temporary denial-of-service if a valid image is reflashed. Both vulnerabilities require physical access and are not remotely exploitable.

What this means

What could happen

CVE-2026-0714 requires invasive physical dismantling and SPI bus interception to potentially decrypt encrypted disk storage offline; CVE-2026-0715 allows an attacker with physical device access to enter the bootloader menu but cannot modify firmware or execute code due to signature verification, limiting impact to temporary denial-of-service if the device is reflashed.

Who's at risk

Manufacturing facilities operating Moxa industrial computers with Moxa Industrial Linux 3 (especially those using TPM-backed LUKS encryption for data protection) or Arm-based models running Moxa Industrial Linux Secure. This affects edge computing devices, process controllers, and data acquisition systems in manufacturing environments.

How it could be exploited

For CVE-2026-0714: An attacker must physically open the industrial computer, connect equipment to the TPM SPI bus, capture encryption key material during operation, then perform offline cryptanalysis to decrypt the eMMC storage. For CVE-2026-0715: An attacker with physical access reads the device-unique bootloader password (printed on the device), connects via the serial interface, and enters the bootloader menu; firmware flashing is blocked by signature verification so actual system compromise is not possible.

Prerequisites

CVE-2026-0714: Invasive physical access, device disassembly capability, specialized SPI bus sniffing equipment, extended time to capture TPM communications, and knowledge of TPM-LUKS encryption mechanisms
CVE-2026-0715: Physical access to the device, ability to locate and read the bootloader password printed on the device, access to a serial console interface, and knowledge of Moxa bootloader menu navigation

Affects data-at-rest encryption systemsRequires extended physical access and specialized equipmentDefault credentials exposure (bootloader password printed on device)No remote exploitation possible (low attack likelihood)No patch available from vendor

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (1)

ProductAffected VersionsFix Status

Industrial ComputersAll versionsNo fix yet

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDFor devices where bootloader access is a concern, disable or physically secure serial console access points to prevent unauthorized bootloader menu entry

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXIf available, update industrial computers to the latest Moxa Industrial Linux firmware version and reapply LUKS encryption if using TPM-backed full-disk encryption

Long-term hardening

0/2

HARDENINGImplement strict physical access controls to industrial computers in manufacturing facilities, including restricted entry to equipment rooms and device enclosures

HARDENINGDeploy environmental monitoring and tamper detection on industrial computers in high-security areas to alert if devices are opened or modified

CVEs (2)

CVE-2026-0714 CVE-2026-0715

View full Moxa Security advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/87706433-a277-4845-8b01-18be4f24d580

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.