Moxa OnCell G3470A-LTE and WDR-3124A Series Cellular Gateways/Router Vulnerabilities
Act Now9oncell-g3470a-wdr-3124a-cellular-gateways-router-vulnerabilitiesSep 1, 2021
Summary
Moxa OnCell G3470A-LTE and WDR-3124A cellular gateways contain multiple vulnerabilities: (1) heap-based buffer overflow in DHCP client (CVE-2016-2148) allowing remote attack, (2) arbitrary code execution via dropbear SSH (CVE-2016-7406), (3) outdated glibc library vulnerabilities (including CVE-2015-7547, CVE-2015-0235) enabling remote denial of service and code execution, (4) outdated Linux kernel vulnerabilities (including CVE-2019-16746, CVE-2017-11176, CVE-2016-7039) permitting privilege escalation and arbitrary command injection via oversized network traffic, and (5) use of hard-coded cryptographic keys. All device versions remain unpatched. An attacker with network access can exploit these to gain code execution, disable the gateway, or escalate privileges without authentication.
What this means
What could happen
An attacker with network access to a Moxa OnCell G3470A-LTE or WDR-3124A cellular gateway could execute arbitrary code, crash the device, or escalate privileges, causing loss of remote connectivity to field equipment and stopping automated data collection or control operations.
Who's at risk
Transportation operators using Moxa OnCell G3470A-LTE or WDR-3124A cellular gateways for remote site connectivity, telemetry, or SCADA communications. This includes rail system operators, traffic signal networks, and any facility relying on these devices for out-of-band management or real-time data collection from field equipment.
How it could be exploited
An attacker can send specially crafted packets (DHCP requests, SSH protocol data, or oversized network traffic) to the cellular gateway's network interface. The vulnerable glibc library and Linux kernel allow these packets to overflow memory buffers or trigger unhandled exceptions, giving the attacker code execution or denial of service. No authentication is required.
Prerequisites
- Network reachability to the Moxa device on its WAN or management network interface
- Device running unpatched firmware (all current versions affected)
- No firewall rules blocking malicious packet patterns
remotely exploitableno authentication requiredlow complexityhigh EPSS score (93.9%)no patch availableaffects critical connectivity infrastructure
Exploitability
High exploit probability (EPSS 93.9%)
Affected products (1)
ProductAffected VersionsFix Status
OnCell G3470A-LTEAll versionsNo fix (EOL)
Remediation & Mitigation
0/6
Do now
0/2HARDENINGIsolate OnCell G3470A-LTE and WDR-3124A devices on a dedicated industrial network segment with firewall rules that restrict inbound access to only required management IPs and control protocols
WORKAROUNDRestrict SSH access to the device to only known engineering workstations using firewall rules or disable SSH if not in use
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
WORKAROUNDDisable DHCP client on the device if a fixed IP configuration is feasible, or switch to a wired connection if cellular is not critical for operations
HOTFIXMonitor for firmware updates from Moxa; contact Moxa technical support to confirm patch timeline and apply any security updates immediately when available
Mitigations - no patch available
0/2OnCell G3470A-LTE has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate these gateways from critical control systems and data networks
HARDENINGDevelop a contingency plan for loss of cellular connectivity, including manual backup procedures or failover to alternative communication methods
CVEs (58)
CVE-2016-2148CVE-2016-7406CVE-2012-4412CVE-2014-5119CVE-2014-9402CVE-2014-9984CVE-2018-6485CVE-2015-7547CVE-2015-0235CVE-2008-4609CVE-2009-1298CVE-2011-0709CVE-2012-0207CVE-2012-2136CVE-2012-3552CVE-2012-6704CVE-2013-7470CVE-2019-16746CVE-2019-3896CVE-2010-3848CVE-2012-0056CVE-2010-2692CVE-2006-2937CVE-2006-2940CVE-2006-3738CVE-2009-3245CVE-2010-3864CVE-2012-2110CVE-2015-0292CVE-2016-2108CVE-2016-2109CVE-2016-8717CVE-2010-1162CVE-2010-4251CVE-2010-4805CVE-2011-2525CVE-2012-6638CVE-2012-6701CVE-2014-2523CVE-2015-1465CVE-2015-5364CVE-2016-10229CVE-2016-3134CVE-2016-4997CVE-2016-7039CVE-2016-7117CVE-2016-8666CVE-2017-1000111CVE-2017-11176CVE-2017-7618CVE-2017-8890CVE-2010-0742CVE-2010-4252CVE-2014-3512CVE-2014-3567CVE-2014-8176CVE-2021-39279CVE-2021-39278
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/405bf642-6372-48fd-abdd-95b1ce86826b