Moxa OnCell G3100-HSPA Series and OnCell G3470A-LTE Series Cellular Gateway Vulnerabilities

Monitor7oncell-g3100-hspa-oncell-g3470a-lte-cellular-gateway-vulnerabilitiesFeb 13, 2020

Summary

Multiple vulnerabilities affect Moxa OnCell G3100-HSPA and OnCell G3470A-LTE cellular gateways. The G3100-HSPA series (all versions) is vulnerable to remote code execution via memory buffer overflow (CVE-2018-11423, CVE-2018-11425) and resource exhaustion (CVE-2018-11420), denial of service via null pointer dereference (CVE-2018-11424), brute-force authentication bypass (CVE-2018-11426), web interface CSRF attacks (CVE-2018-11427), sensitive information disclosure including credentials (CVE-2018-11421), and improper access control allowing unauthorized firmware upload and configuration changes (CVE-2018-11422). The G3470A-LTE series is vulnerable to memory buffer overflow (CVE-2018-11425) causing denial of service and RCE. An attacker with network access could exploit these flaws to execute arbitrary code, disrupt connectivity, modify settings, or extract administrative credentials.

What this means

What could happen

An attacker with network access to the cellular gateway could execute arbitrary commands on the device, alter cellular connectivity settings, or crash the gateway. This could disrupt remote monitoring and control communications for water/power facilities that rely on cellular backhaul.

Who's at risk

Water authorities and electric utilities that use Moxa OnCell G3100-HSPA or OnCell G3470A-LTE cellular gateways for remote SCADA communications, remote monitoring sites, or pump stations where cellular backhaul is the primary link to the control center.

How it could be exploited

An attacker on the network (or remotely via the public internet if the gateway is exposed) could send specially crafted packets to trigger memory buffer overflows or resource exhaustion, or could exploit weak authentication on the web interface to gain administrative access. From there, they could upload malicious firmware, modify gateway configuration, or execute commands that affect cellular connectivity for your SCADA system.

Prerequisites

Network access to the OnCell gateway (Ethernet, cellular, or VPN), or access to the web interface if publicly exposed
For brute-force attacks: no valid credentials required; weak password policy on the gateway
For firmware upload or CSRF attacks: ability to trick an authorized user into visiting a malicious link, or intercepted web session
For RCE via memory buffer overflow: no authentication required; malicious network packets can be sent directly to the device

remotely exploitableno authentication required (for some vulnerabilities)low complexityno patch available for G3100-HSPAaffects remote monitoring and control communications

Exploitability

Moderate exploit probability (EPSS 1.1%)

Affected products (1)

ProductAffected VersionsFix Status

OnCell G3100-HSPAAll versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDDisable or restrict access to the web administration interface if not actively used. Implement firewall rules to allow only authorized engineering workstations to reach the gateway's management ports (typically TCP 80, 443, and SSH).

HARDENINGIf the device has a default or weak administrative password, change it to a strong, unique password immediately. Verify that password policies cannot be bypassed.

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXCheck Moxa's website for firmware updates. If updates are available for your specific model and firmware version, schedule a maintenance window to apply the update. Note: This device may require a reboot during the update process, interrupting cellular connectivity.

Mitigations - no patch available

0/2

OnCell G3100-HSPA has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGPlace the OnCell gateway on a separate, segmented network (e.g., OT management VLAN) that is not directly reachable from the corporate network or internet. Use a firewall to allow only necessary traffic (e.g., cellular data to your RTU/PLC).

HARDENINGMonitor the gateway's logs and network traffic for signs of exploitation. Watch for unauthorized configuration changes, failed authentication attempts, or unexpected firmware uploads.

CVEs (8)

CVE-2018-11425 CVE-2018-11420 CVE-2018-11423 CVE-2018-11424 CVE-2018-11426 CVE-2018-11427 CVE-2018-11421 CVE-2018-11422

View full Moxa Security advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/31be12e9-a47c-4c8b-8b1b-bf2fb6440452