Moxa CVE-2026-9266: Missing Required Cryptographic Step Vulnerability in Industrial Computers

MonitorCVSS 4MPSA-266240Jun 12, 2026

MoxaManufacturing

Summary

CVE-2026-9266 is a Missing Required Cryptographic Step vulnerability in Moxa's embedded Linux firmware for industrial computers and controllers. It represents an incomplete fix to CVE-2026-0714. The firmware added TPM2 parameter encryption but misconfigured the authorization session, leaving the encryption ineffective. An attacker with invasive physical access can attach equipment to the SPI bus, eavesdrop on TPM communications, and derive the LUKS disk encryption key in plaintext, gaining full access to the encrypted disk volume. Remote exploitation is not possible, and downstream systems are not affected.

What this means

What could happen

An attacker with physical access to the device can extract the disk encryption key by eavesdropping on TPM communications, leading to full compromise of the encrypted disk and any stored sensitive data or credentials.

Who's at risk

Manufacturing plants and facilities using Moxa industrial computers for automation, control systems, and edge computing. Any environment where LUKS-encrypted data on these devices contains sensitive credentials, process data, or intellectual property.

How it could be exploited

An attacker must physically open the device and attach monitoring equipment to the SPI bus where the TPM communicates with the system. The incomplete TPM parameter encryption allows the attacker to capture unencrypted TPM communications and derive the LUKS disk encryption key in plaintext.

Prerequisites

Invasive physical access to the device
Ability to open device housing
Technical equipment to monitor and capture SPI bus communications

affects encrypted data protectionrequires invasive physical accessno patch currently available

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

Industrial ComputersAll versionsNo fix (EOL)

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGRestrict physical access to industrial computers through locked enclosures and facility access controls to prevent unauthorized device opening

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXApply the latest Moxa firmware update for your industrial computer models to obtain the complete cryptographic remediation

Mitigations - no patch available

0/1

Industrial Computers has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement facility security measures such as surveillance and access logging at locations where these devices are deployed

CVEs (2)

CVE-2026-0714 CVE-2026-9266

View full Moxa Security advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a261fe49-82f6-4ef6-b0a6-452a1c40e196

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.