Moxa TAP-323, WAC-1001, and WAC-2004 Series Wireless AP/Bridge/Client Vulnerabilities

Act Now9tap-323-wac-1001-2004-wireless-ap-bridge-client-vulnerabilitiesSep 1, 2021

Summary

Moxa TAP-323 Series and WAC-1001/2004 Series Railway Wireless Controllers contain multiple critical vulnerabilities spanning outdated software components: 1. CVE-2016-2148: Heap-based buffer overflow in DHCP client allows remote code execution. 2. CVE-2016-7406: Improper input validation in Dropbear SSH allows arbitrary code execution. 3. Multiple glibc vulnerabilities (CVE-2012-4412, CVE-2014-5119, CVE-2014-9402, CVE-2014-9984, CVE-2018-6485, CVE-2015-7547, CVE-2015-0235): Buffer overflow, integer overflow, and other memory safety issues in outdated GNU C Library enable remote code execution and denial of service. 4. Multiple Linux kernel vulnerabilities (CVE-2008-4609, CVE-2009-1298, CVE-2010-1162, CVE-2010-4251, CVE-2010-4805, CVE-2011-0709, CVE-2011-2525, CVE-2012-0207, CVE-2012-2136, CVE-2012-3552, CVE-2012-6638, CVE-2012-6701, CVE-2012-6704, CVE-2013-7470, CVE-2014-2523, CVE-2015-1465, CVE-2015-5364, CVE-2016-10229, CVE-2016-3134, CVE-2016-4997, CVE-2016-7039, CVE-2016-7117, CVE-2016-8666, CVE-2017-1000111, CVE-2017-11176, CVE-2017-7618, CVE-2017-8890, CVE-2019-16746, CVE-2019-3896, CVE-2010-3848, CVE-2012-0056, CVE-2010-2692): Privilege escalation, arbitrary command injection, denial of service via resource exhaustion, and memory corruption. 5. Hard-coded cryptographic keys ("House of Keys"): Enables unauthorized network access and authentication bypass.

What this means

What could happen

An attacker on the network or internet could remotely execute arbitrary commands on these wireless controllers, potentially disrupting railway communications, signaling systems, or operational control. Alternatively, an attacker with access to the device could escalate privileges, extract hard-coded credentials, or cause denial of service, halting remote monitoring and control of critical rail infrastructure.

Who's at risk

Railway and transportation operators using Moxa TAP-323, WAC-1001, or WAC-2004 Series wireless controllers for train communication networks, signaling systems, or trackside equipment management should treat this as critical. These are field-deployed devices that directly support operational safety and real-time control of trains and rail infrastructure.

How it could be exploited

An attacker can craft malicious network traffic targeting vulnerable DHCP or SSH services on the wireless controller. If SSH is exposed, the attacker sends specially crafted input to trigger the buffer overflow in Dropbear (CVE-2016-7406) or exploits one of the many Linux kernel vulnerabilities to gain code execution. Alternatively, the attacker can trigger the DHCP client vulnerability (CVE-2016-2148) by responding to DHCP requests with a malformed packet. Once on the device, hard-coded keys allow password-less authentication to administration functions.

Prerequisites

Network access to TCP port 22 (SSH) or UDP port 67/68 (DHCP)
Device configured to use DHCP or expose SSH to untrusted networks
No firewall rules restricting inbound network traffic to the controller
Device running TAP-323, WAC-1001, or WAC-2004 firmware (any version)

Remotely exploitable (DHCP, SSH exposed to network)No authentication required for DHCP serviceLow attack complexity (straightforward buffer overflow exploitation)High EPSS score (93.9%)No patch available (TAP-323 end-of-life)Affects critical infrastructure (railway signaling and control)Hard-coded credentials presentMultiple vectors for privilege escalation

Exploitability

High exploit probability (EPSS 93.9%)

Affected products (1)

ProductAffected VersionsFix Status

TAP-323All versionsNo fix (EOL)

Remediation & Mitigation

0/8

Do now

0/5

HARDENINGIsolate TAP-323, WAC-1001, and WAC-2004 devices from untrusted networks using network segmentation or air-gapping. Restrict administrative and operational access to engineering workstations or dedicated management VLANs only.

WORKAROUNDDisable SSH service if not required for daily operations. If SSH must be enabled, restrict access via firewall rules to known engineering workstation IP addresses or a bastion host.

WORKAROUNDConfigure DHCP static IP assignment on all TAP-323, WAC-1001, and WAC-2004 devices to prevent exposure to malicious DHCP servers. If DHCP must be used, isolate the DHCP service to a trusted network segment.

HARDENINGDeploy strict ingress/egress firewall rules on the network perimeter and at the device level. Block all inbound traffic to SSH (port 22) and DHCP (ports 67/68) from untrusted sources.

HARDENINGConduct a security audit to identify any hard-coded credentials or default accounts associated with these devices. Change all default passwords and rotate cryptographic keys if possible.

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXContact Moxa immediately to request any available firmware updates or patches. If no patches are available, work with Moxa on a timeline for remediation or consider device replacement with newer, supported hardware.

Long-term hardening

0/1

HOTFIXEvaluate replacement or upgrade of TAP-323 devices to newer Moxa wireless controllers that receive active security updates and maintenance.

Mitigations - no patch available

0/1

TAP-323 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGMonitor Moxa's security advisories and support channels for any future firmware releases or end-of-life notices for TAP-323, WAC-1001, and WAC-2004 series devices.

CVEs (58)

View full Moxa Security advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5292776b-1083-4232-b3ae-fe0186aace40