Moxa CVE-2026-3867, CVE-2026-3868: Improper Ownership Management and Improper Handling of Length Parameter Inconsistency Vulnerabilities in Secure Router

Plan PatchCVSS 8.7MPSA-261521Apr 27, 2026

Moxa

Summary

Two vulnerabilities have been identified in Moxa Secure Router across all versions. CVE-2026-3867 is an improper ownership management flaw that allows a low-privileged authenticated user to access a configuration file containing the hashed administrative password, but only if the configuration has been exported. CVE-2026-3868 is an improper length parameter handling flaw in the HTTPS management interface that allows an unauthenticated remote attacker to send specially crafted requests triggering a buffer overflow, causing the web service to become unresponsive and requiring a device reboot to restore operation. No confidentiality or integrity impact to downstream systems has been identified in either case.

What this means

What could happen

CVE-2026-3868 allows an unauthenticated attacker to crash the Secure Router's web management interface with a specially crafted request, requiring a device reboot to restore operations. CVE-2026-3867 allows an authenticated user with low privileges to extract the administrative password hash if a configuration file has been exported, enabling potential account takeover.

Who's at risk

Water authorities and municipal electric utilities using Moxa Secure Routers for network communications and remote management. Plant operators and control engineers who depend on the router for connectivity to SCADA systems, RTUs, or remote monitoring stations. IT staff managing router deployments in critical infrastructure environments.

How it could be exploited

For CVE-2026-3868: An attacker on the network sends a malformed HTTPS request with an inconsistent length parameter to the web management interface, triggering a buffer overflow that crashes the web service. For CVE-2026-3867: A low-privileged authenticated user accesses an exported configuration file and retrieves the hashed administrative password, then attempts to crack it offline.

Prerequisites

CVE-2026-3868: Network reachability to HTTPS management port (typically 443); no credentials required
CVE-2026-3867: Valid authenticated user account with low privileges; configuration file must have been exported and be accessible

remotely exploitable (CVE-2026-3868)no authentication required (CVE-2026-3868)low complexity to exploitno patch availableaffects network connectivity to safety-critical systemsdenial of service impact requires manual device reboot

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

Secure RouterAll versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/4

HARDENINGRestrict HTTPS management interface access to trusted IP addresses or networks using a firewall rule or router ACL

HARDENINGDisable external access to the Secure Router's web management interface if not required for remote administration

HARDENINGEnforce strong password policies and change the administrative account password immediately

WORKAROUNDReview and remove any exported configuration files from accessible locations; store backups securely offline

Mitigations - no patch available

0/1

Secure Router has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate management traffic for the Secure Router

CVEs (2)

CVE-2026-3867 CVE-2026-3868

View full Moxa Security advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/07c29f52-4d0b-4b3d-b13e-9fd98a1ac6d6

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.