Moxa CVE-2026-0714, CVE-2026-0715: Multiple Vulnerabilities in Industrial Computers

Monitor7MPSA-255121Feb 6, 2026

Summary

CVE-2026-0714: A physical vulnerability in Moxa industrial computers using TPM-backed LUKS full-disk encryption on Moxa Industrial Linux 3. An attacker with invasive physical access could attach equipment to the SPI bus to capture TPM communications and potentially decrypt the disk offline. This requires opening the device, possessing appropriate probe equipment, and extended access time for signal capture and analysis.\n\nCVE-2026-0715: Moxa Arm-based industrial computers running Moxa Industrial Linux Secure use a device-unique bootloader password printed on the device. An attacker with physical access to the serial console could enter bootloader mode. However, bootloader signature verification prevents installation of unsigned firmware, limiting the impact to temporary denial of service if a valid image is reflashed.

What this means

What could happen

These vulnerabilities require invasive physical access to the device to exploit and do not enable remote attacks. CVE-2026-0714 could allow an attacker with extended physical access to decrypt the disk; CVE-2026-0715 could allow temporary denial of service if an attacker physically accesses the serial console.

Who's at risk

Manufacturing facilities operating Moxa Arm-based industrial computers running Moxa Industrial Linux Secure or Moxa Industrial Linux 3 with TPM-backed disk encryption. These are typically used as controllers, edge compute devices, or operator interfaces in production environments.

How it could be exploited

CVE-2026-0714: Attacker must open the device, connect equipment to the SPI bus to capture TPM communications, and perform offline analysis to decrypt the disk. CVE-2026-0715: Attacker must access the serial console using the device-unique bootloader password found on the device; however, bootloader signature verification prevents malicious firmware installation, limiting impact to reflashing a valid image (denial of service).

Prerequisites

Physical access to open the device enclosure
For CVE-2026-0714: SPI bus probe equipment and signal capture capability
For CVE-2026-0714: Extended device possession time for signal analysis
For CVE-2026-0715: Physical access to serial console port
For CVE-2026-0715: Knowledge of device-unique bootloader password (printed on device)

Physical access required for exploitationNo remote exploitation possibleAffects confidentiality (disk decryption) and availability (denial of service)Requires extended physical access and specialized equipmentNo patch available from vendor

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (1)

ProductAffected VersionsFix Status

Industrial ComputersAll versionsNo fix yet

Remediation & Mitigation

0/3

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGFor CVE-2026-0715, restrict physical access to serial console ports or disable serial console access if not required for operations

Long-term hardening

0/2

HARDENINGReview physical security controls around Moxa industrial computers to restrict unauthorized device access and opening

HARDENINGImplement perimeter security and surveillance to prevent extended physical access to devices in unattended locations

CVEs (2)

CVE-2026-0714 CVE-2026-0715

View full Moxa Security advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/87706433-a277-4845-8b01-18be4f24d580