Moxa Multiple Routers Improper Input Validation Vulnerabilities

Low Risk2multiple-routers-improper-input-validation-vulnerabilitiesNov 24, 2022

Summary

Moxa routers contain improper authentication and input validation vulnerabilities in their web service. Two command injection vulnerabilities have been identified: CVE-2022-41758 allows unauthenticated command injection via the web service, and CVE-2022-41759 is a command injection vulnerability without proper input validation. Both could allow a remote attacker to execute arbitrary commands on the router.

What this means

What could happen

An attacker could execute arbitrary commands on affected Moxa routers without authentication, allowing them to manipulate network traffic, modify routing rules, or disrupt connectivity to critical OT devices and SCADA systems that depend on the router.

Who's at risk

Water utilities, electric utilities, and industrial facilities using Moxa routers for OT network connectivity or remote management. Particularly critical for organizations using these routers to connect SCADA systems, PLCs, and field devices to central monitoring stations.

How it could be exploited

An attacker sends a malicious HTTP request containing shell commands to the web service port on the router. The web service does not validate the input or check authentication before processing the request, allowing the commands to execute with router privileges. No credentials or network access beyond the web service port are required.

Prerequisites

Network access to the router's web service port (typically port 80/443)
Router must be reachable from the attacker's network location

remotely exploitableno authentication requiredno patch availablecommand injection allows arbitrary code execution

Affected products (1)

ProductAffected VersionsFix Status

dationAll versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to Moxa router web service ports using firewall rules; allow only authorized engineering workstations and management networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXContact Moxa support to request security patches or migration path, as no fix is currently available

Mitigations - no patch available

0/2

dation has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate Moxa routers on a protected OT network segment with limited external connectivity

HARDENINGMonitor router web service logs and network traffic for suspicious command injection patterns (shell metacharacters in HTTP requests)

CVEs (2)

CVE-2022-41758 CVE-2022-41759

View full Moxa Security advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/dfe02d62-dace-4410-a14a-60161aa91070