Moxa Industrial Ethernet Switches Affected by OpenSSH `ssh-agent` RCE (CVE-2023-38408)
Moxa issued guidance for a critical remote code execution (RCE) risk affecting multiple industrial Ethernet switch lines due to CVE-2023-38408 in the OpenSSH ssh-agent PKCS#11 feature (OpenSSH versions prior to 9.3p2). The flaw is described as an unreliable/unquoted search path issue (CWE-428) and is characterized as an incomplete fix related to CVE-2016-10009; exploitation can lead to full device compromise impacting confidentiality, integrity, and availability, with a reported CVSS 3.1 score of 9.8.
Impacted products include Moxa EDS series switches (e.g., EDS-G4000, EDS-4008/4009/4012/4014, EDS-G4008/G4012/G4014) running firmware v4.1 or earlier, and RKS series switches (e.g., RKS-G4000, RKS-G4028, RKS-G4028-L3) running firmware v5.0 or earlier. Moxa’s remediation requires obtaining patches via Moxa Technical Support rather than public download; the cited target versions are 4.1.58 for EDS and 5.0.4 for RKS. Until updates can be applied, recommended mitigations include restricting network access (e.g., firewalls/ACLs) and segmenting OT networks (e.g., VLAN separation) to limit exposure.
Timeline
Jan 13, 2026
Moxa makes patched firmware available through technical support
Moxa provided remediation guidance and made fixed firmware available via Moxa Technical Support rather than public download, including versions such as EDS 4.1.58 and RKS 5.0.4. The company also recommended interim mitigations including network segmentation, restricted access, hardening authentication, avoiding Internet exposure, and monitoring for anomalies.
Jan 13, 2026
Moxa issues advisory for affected EDS and RKS Ethernet switches
Moxa disclosed that multiple industrial Ethernet switch models in its EDS and RKS series were affected by CVE-2023-38408, including EDS firmware 4.1 or earlier and RKS firmware 5.0 or earlier. The company warned that exploitation could lead to full system compromise and pose risks to OT environments.
Jan 13, 2026
OpenSSH flaw CVE-2023-38408 disclosed as incomplete fix for CVE-2016-10009
CVE-2023-38408 was identified in OpenSSH's ssh-agent PKCS#11 feature, where an unreliable library search path could allow remote code execution when agent forwarding is used to an attacker-controlled system. The issue was described as an incomplete fix for CVE-2016-10009 and assigned a CVSS score of 9.8.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Affected Products
Sources
Related Stories
Moxa Product Flaws Enable Privilege Escalation and Security Policy Bypass
CERT-FR published two advisories covering vulnerabilities in **Moxa** products, warning that the flaws could let attackers **escalate privileges** and undermine core security controls. One notice said successful exploitation could also affect **data confidentiality** and **data integrity**, raising concern for industrial and networked environments where Moxa equipment is commonly deployed. A separate CERT-FR notice reported another Moxa vulnerability that could allow an attacker to **bypass the security policy**. The advisories did not provide further technical details in the referenced content, including affected models, `CVE` identifiers, or specific remediation steps, leaving organizations to monitor vendor and national CERT guidance closely for product impact and patch information.
1 weeks ago
Moxa DA Series BIOS/Intel Firmware Vulnerabilities Affecting Industrial PCs
**Moxa** published security advisories for its industrial computer **DA Series** indicating that multiple vulnerabilities in underlying **Intel firmware components** can impact affected devices, including conditions leading to **remote denial of service**, **privilege escalation**, and potential **confidentiality** impacts. Affected systems include **DA-682C** (BIOS versions prior to `v1.6`), **DA-820C** (prior to `v1.3`), and **DA-820E** (as listed by CERT-FR), with the Canadian Centre for Cyber Security also flagging DA Series BIOS exposure broadly and calling out DA-682C BIOS `v1.5` and earlier and DA-820C BIOS `v1.2` and earlier. The advisories map to Intel security issues including **Intel BIOS firmware DoS** (**INTEL-SA-00813**) and multiple vulnerabilities in **Intel CSME/AMT** (**INTEL-SA-00391**, **INTEL-SA-00709**). CERT-FR’s notice references related CVEs (including **CVE-2020-8747**, **CVE-2020-8749**, **CVE-2020-8752**, and **CVE-2022-28697**) and directs organizations to apply vendor-provided BIOS updates and mitigations from Moxa’s bulletins (`mpsa-256821`, `mpsa-256822`, `mpsa-256823`) to reduce exposure in operational technology environments.
1 months ago
Critical Hard-Coded JWT Secret Vulnerability in Moxa Network Security Appliances (CVE-2025-6950)
A critical security vulnerability, tracked as CVE-2025-6950, has been identified in Moxa network security appliances and routers, allowing unauthenticated attackers to gain administrative access via a hard-coded JWT secret. The flaw, which carries a CVSS score of 9.9, stems from the use of a hard-coded secret key for signing JSON Web Tokens (JWT) used in the authentication process. This insecure implementation enables attackers to forge valid JWTs without any prior authentication, effectively bypassing all access controls. As a result, an attacker can impersonate any user, including administrators, and obtain full control over the affected device. Exploitation of this vulnerability can lead to unauthorized access, data theft, and complete system compromise. The vulnerability is remotely exploitable, significantly increasing the risk to organizations deploying these devices in critical network environments. According to the available reports, there is no evidence that exploitation of this flaw leads to loss of confidentiality or integrity in systems beyond the affected device itself. The vulnerability was disclosed by Moxa’s Product Security Incident Response Team (PSIRT) and has been publicly documented in multiple security advisories. Security researchers emphasize the severity of the issue due to the ease of exploitation and the potential impact on industrial and enterprise networks. The affected products include a range of Moxa network security appliances and routers, though specific model versions have not been detailed in the public advisories. Organizations using these devices are urged to review their deployments and apply any available patches or mitigations as soon as possible. The vulnerability was published and last updated on October 17, 2025, highlighting the need for immediate attention from network administrators. The flaw is distinct from other recent privilege escalation vulnerabilities in Moxa products, as it allows for unauthenticated, rather than authenticated, administrative takeover. Security experts recommend monitoring for signs of unauthorized access and reviewing authentication logs for suspicious activity. The use of hard-coded credentials is a well-known security anti-pattern, and this incident underscores the importance of secure key management in authentication systems. Moxa has been notified and is expected to release further guidance and remediation steps. Until patches are available, organizations should consider network segmentation and access restrictions to limit exposure. The incident has raised concerns about the security of industrial control systems and the potential for similar flaws in other embedded network devices. The vulnerability’s critical rating and remote exploitability make it a high-priority issue for all organizations relying on Moxa network security appliances.
1 months ago