Moxa OnCell G3150A/G3470A Series and WDR-3124A Series Cellular Gateways/Router Vulnerabilities

Monitor6oncell-g3150a-g3470-wdr-3124a-cellular-gateways-router-vulnerabilitiesDec 30, 2021

Summary

Multiple vulnerabilities affect Moxa OnCell G3150A/G3470A Series and WDR-3124A Series Cellular Gateways/Routers across all versions. CVE-2021-37752 allows remote command injection via the web interface. CVE-2021-37753 and CVE-2021-37755 enable authentication bypass and unencrypted credential storage. CVE-2021-37757 causes buffer overflow crashes. CVE-2021-37751 leaks sensitive information to unauthorized users. CVE-2021-37754 allows brute-force credential attacks due to lack of login attempt restrictions. CVE-2021-37758 enables unsigned firmware installation, allowing firmware tampering. All vulnerabilities are remotely exploitable and affect the device's web management interface and firmware integrity.

What this means

What could happen

An attacker could remotely execute commands on the gateway, bypass authentication, crash the service, extract credentials, or upload malicious firmware, resulting in loss of cellular connectivity, remote device control, or traffic interception for any facility relying on these gateways for remote management or SCADA communications.

Who's at risk

Water utilities, electric distribution operators, and industrial facilities using Moxa OnCell G3150A, G3470A, or WDR-3124A cellular gateways for remote SCADA communications, VPN tunneling, or out-of-band management should immediately restrict access to these devices. These gateways are typically deployed in pump stations, substations, and remote terminal units to enable cellular fallback for critical control traffic.

How it could be exploited

An attacker on the Internet can reach the web interface of the gateway and inject commands via input validation flaws (CVE-2021-37752), or bypass authentication entirely due to weak credential validation (CVE-2021-37753/37755). Once authenticated or bypassed, the attacker can reconfigure the device, enable tunneling, or upload unsigned firmware containing malicious code. The lack of firmware signature verification (CVE-2021-37758) makes persistent compromise trivial.

Prerequisites

Network access to the gateway's web interface (typically port 80/443)
For some vulnerabilities, no credentials are required (authentication bypass exists)
Gateway must be reachable from the Internet or untrusted network segment

Remotely exploitableNo authentication required (for some CVEs)Low complexityNo patch availableMultiple vulnerability types (code execution, authentication bypass, buffer overflow, credential theft, firmware integrity)Commonly deployed in critical infrastructure

Affected products (1)

ProductAffected VersionsFix Status

OnCell G3150A/G3470AAll versionsNo fix (EOL)

Remediation & Mitigation

0/6

Do now

0/3

WORKAROUNDIsolate the Moxa gateway behind a firewall; restrict inbound HTTP/HTTPS access to management workstations only using firewall rules

WORKAROUNDDisable remote web management if not required; use SSH or serial console only for configuration

HARDENINGChange all default credentials immediately and enforce strong passwords on all accounts

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXEvaluate replacement with a newer Moxa cellular gateway model that includes firmware signature verification and authentication hardening

Mitigations - no patch available

0/2

OnCell G3150A/G3470A has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGSegment the gateway's management network from operational process networks using VLANs or network appliances

HARDENINGMonitor for firmware replacement attempts; log and alert on any firmware upgrade activities

CVEs (7)

CVE-2021-37752 CVE-2021-37753 CVE-2021-37755 CVE-2021-37757 CVE-2021-37751 CVE-2021-37754 CVE-2021-37758

View full Moxa Security advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c86d40d6-74f7-4aa8-8107-cb94611e2583