Moxa PT-7528 and PT-7828 Series Ethernet Switches Vulnerabilities
Monitor7pt-7528-7828-ethernet-switches-vulnerabilitiesSep 25, 2019
Summary
Multiple vulnerabilities were identified in Moxa PT-7528 and PT-7828 Series Ethernet Switches: (1) Stack-based buffer overflow (CVE-2020-6989) allowing arbitrary code execution or denial of service; (2) Weak or risky cryptographic algorithms (CVE-2020-6987) enabling confidential information disclosure; (3) Hardcoded cryptographic keys (CVE-2020-6983) increasing risk of data recovery; (4) Hardcoded or default passwords (CVE-2020-6985) allowing unauthenticated access; (5) Weak password requirements (CVE-2020-6995) enabling brute-force attacks; (6) Information exposure via zero-day attack vectors (CVE-2020-6993). PT-7528 Series has no fix available. PT-7828 Series fixes are available.
What this means
What could happen
An attacker could execute arbitrary code on Moxa PT-7528 and PT-7828 switches, disrupting network operations and causing the device to fail. Additionally, weak or hardcoded credentials and cryptographic weaknesses could allow unauthorized access and exposure of sensitive configuration data.
Who's at risk
Water and electric utility operators managing Moxa PT-7528 or PT-7828 Series Ethernet switches used in industrial automation, SCADA, and network infrastructure should care about this issue. These devices are critical for communication between programmable logic controllers (PLCs), remote terminal units (RTUs), and other control equipment in substations, treatment plants, and pump stations. An outage or compromise could disrupt SCADA communications and control operations.
How it could be exploited
An attacker on the network could exploit the stack-based buffer overflow (CVE-2020-6989) by sending a malformed packet to cause code execution or denial of service. Alternatively, an attacker could use default or hardcoded credentials to gain administrative access, or exploit weak cryptographic algorithms to decrypt sensitive data in transit or at rest.
Prerequisites
- Network access to the PT-7528 or PT-7828 management or data plane (Layer 2/3 connectivity)
- Knowledge of hardcoded or weak default credentials on the device
- Ability to send crafted network packets to trigger buffer overflow
- No authentication required for some information disclosure paths
Remotely exploitable via networkNo authentication required for some vulnerabilitiesLow complexity exploitation (hardcoded credentials, weak cryptography)No patch available for PT-7528 all versionsAffects network infrastructure supporting safety-critical systemsDefault credentials and hardcoded keys present
Exploitability
Moderate exploit probability (EPSS 1.9%)
Affected products (1)
ProductAffected VersionsFix Status
PT-7528All versionsNo fix (EOL)
Remediation & Mitigation
0/6
Do now
0/3HOTFIXContact Moxa support for PT-7528 Series affected units to determine available firmware patches or hardware replacement options, as no fix is currently available for all versions
WORKAROUNDRestrict management access to PT-7528 and PT-7828 switches using firewall rules to allow only authorized engineer workstations or control room networks
HARDENINGChange all default credentials on affected switches immediately; ensure passwords meet complexity requirements (upper/lower case, numbers, special characters, minimum 12 characters)
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXFor PT-7828 Series, apply the latest firmware update from Moxa addressing CVE-2020-6989, CVE-2020-6987, CVE-2020-6983, CVE-2020-6985, CVE-2020-6995, and CVE-2020-6993
Mitigations - no patch available
0/2PT-7528 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGSegment Moxa PT-series switches to a dedicated management VLAN or network separate from critical process networks to limit lateral movement
HARDENINGDisable or restrict access to any unnecessary network services or management protocols (e.g., Telnet, HTTP) on the switches; use HTTPS and SSH only if available
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/bd7cc1db-3689-4ada-97f0-59274aeb1fcb