Moxa CVE-2023-38408: OpenSSH Vulnerability in Ethernet Switches

Act NowCVSS 9.8MPSA-256261Jan 9, 2026

Moxa

Summary

CVE-2023-38408 is a remote code execution vulnerability in OpenSSH's ssh-agent component caused by an unreliable search path in the PKCS#11 feature. The vulnerability allows an attacker to execute code if an SSH agent is forwarded to an attacker-controlled system. However, Moxa ethernet switches operate as SSH servers and do not enable ssh-agent or agent forwarding functionality by default. The practical risk is considered very low because the exploitation conditions are not present in typical deployments.</summary> <parameter name="product_fixes"> <parameter name="fix"> <parameter name="product_name">Moxa Ethernet Switches

What this means

What could happen

CVE-2023-38408 is a remote code execution vulnerability in OpenSSH's ssh-agent component. However, Moxa ethernet switches do not enable SSH agent forwarding by default, making the practical risk very low in typical deployments.

Who's at risk

Moxa ethernet switches used in industrial networks. This advisory is relevant to network administrators managing Moxa switches in water utilities, power distribution systems, and other critical infrastructure environments.

How it could be exploited

An attacker would need to: (1) intercept SSH agent traffic or configure a system to receive forwarded SSH agent connections, (2) send malicious code through the PKCS#11 search path to the ssh-agent process. This requires SSH agent forwarding to be explicitly enabled on the switch, which is not the default configuration.

Prerequisites

<parameter name="prerequisite">SSH agent forwarding must be explicitly enabled on the Moxa switch (non-default configuration)

<parameter name="factor">Remotely exploitable

Exploitability

Likely to be exploited — EPSS score 64.3%

Public Proof-of-Concept (PoC) on GitHub (9 repositories)

Affected products (1)

ProductAffected VersionsFix Status

Ethernet SwitchesAll versionsNo fix yet

CVEs (2)

CVE-2023-38408 CVE-2016-10009

View full Moxa Security advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/dc4ff9e5-22fb-45da-85cb-5dfa7cdf5ed8

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.