Moxa DA Series BIOS/Intel Firmware Vulnerabilities Affecting Industrial PCs
Moxa published security advisories for its industrial computer DA Series indicating that multiple vulnerabilities in underlying Intel firmware components can impact affected devices, including conditions leading to remote denial of service, privilege escalation, and potential confidentiality impacts. Affected systems include DA-682C (BIOS versions prior to v1.6), DA-820C (prior to v1.3), and DA-820E (as listed by CERT-FR), with the Canadian Centre for Cyber Security also flagging DA Series BIOS exposure broadly and calling out DA-682C BIOS v1.5 and earlier and DA-820C BIOS v1.2 and earlier.
The advisories map to Intel security issues including Intel BIOS firmware DoS (INTEL-SA-00813) and multiple vulnerabilities in Intel CSME/AMT (INTEL-SA-00391, INTEL-SA-00709). CERT-FR’s notice references related CVEs (including CVE-2020-8747, CVE-2020-8749, CVE-2020-8752, and CVE-2022-28697) and directs organizations to apply vendor-provided BIOS updates and mitigations from Moxa’s bulletins (mpsa-256821, mpsa-256822, mpsa-256823) to reduce exposure in operational technology environments.
Timeline
Mar 9, 2026
CERT-FR and Canada's Cyber Centre issue alerts on the Moxa flaws
On the same day as Moxa's advisories, CERT-FR and the Canadian Centre for Cyber Security published alerts warning about the vulnerabilities and directing administrators to review vendor guidance and apply updates. Their notices identified affected Moxa DA Series devices and summarized the potential impacts of the flaws.
Mar 9, 2026
Moxa publishes security advisories and fixes for DA Series products
Moxa published security advisories MPSA-256821, MPSA-256822, and MPSA-256823 addressing multiple BIOS/firmware vulnerabilities affecting DA Series industrial products. The advisories covered affected DA Series BIOS versions and provided updates and mitigation guidance for flaws including Intel-SA-00813, Intel-SA-00391, and Intel-SA-00709.
Feb 26, 2026
CERT-FR starts a new notification campaign for Moxa vulnerabilities
CERT-FR indicates a new notification campaign began for multiple vulnerabilities affecting Moxa products, including DA-682C, DA-820C, and DA-820E systems. The issues were tied to Intel BIOS firmware and CSME/AMT components and could enable confidentiality impacts, remote denial of service, and privilege escalation.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
Related Stories
Moxa Product Flaws Enable Privilege Escalation and Security Policy Bypass
CERT-FR published two advisories covering vulnerabilities in **Moxa** products, warning that the flaws could let attackers **escalate privileges** and undermine core security controls. One notice said successful exploitation could also affect **data confidentiality** and **data integrity**, raising concern for industrial and networked environments where Moxa equipment is commonly deployed. A separate CERT-FR notice reported another Moxa vulnerability that could allow an attacker to **bypass the security policy**. The advisories did not provide further technical details in the referenced content, including affected models, `CVE` identifiers, or specific remediation steps, leaving organizations to monitor vendor and national CERT guidance closely for product impact and patch information.
1 weeks ago
Moxa Industrial Ethernet Switches Affected by OpenSSH `ssh-agent` RCE (CVE-2023-38408)
Moxa issued guidance for a **critical remote code execution (RCE)** risk affecting multiple *industrial Ethernet switch* lines due to **CVE-2023-38408** in the OpenSSH `ssh-agent` PKCS#11 feature (OpenSSH versions prior to `9.3p2`). The flaw is described as an **unreliable/unquoted search path** issue (CWE-428) and is characterized as an incomplete fix related to **CVE-2016-10009**; exploitation can lead to full device compromise impacting confidentiality, integrity, and availability, with a reported **CVSS 3.1 score of 9.8**. Impacted products include Moxa **EDS** series switches (e.g., `EDS-G4000`, `EDS-4008/4009/4012/4014`, `EDS-G4008/G4012/G4014`) running **firmware `v4.1` or earlier**, and **RKS** series switches (e.g., `RKS-G4000`, `RKS-G4028`, `RKS-G4028-L3`) running **firmware `v5.0` or earlier**. Moxa’s remediation requires obtaining patches via **Moxa Technical Support** rather than public download; the cited target versions are **`4.1.58`** for EDS and **`5.0.4`** for RKS. Until updates can be applied, recommended mitigations include restricting network access (e.g., firewalls/ACLs) and segmenting OT networks (e.g., VLAN separation) to limit exposure.
1 months ago
DoS Vulnerabilities in Socomec DIRIS M-70 IIoT Gateway Found via Single-Thread Emulation Fuzzing
Cisco Talos disclosed **six denial-of-service vulnerabilities (six CVEs)** affecting the *Socomec DIRIS M-70* industrial gateway used for power monitoring and energy management, with impact concentrated in environments such as **critical infrastructure, data centers, and healthcare**. The issues affect **firmware 1.6.9** and can be triggered **remotely without authentication**, potentially disrupting Modbus-related processing and causing operational outages or instability in deployments where the gateway is a key communications component (RS485/Ethernet; protocols including **Modbus RTU/TCP**, **BACnet IP**, and **SNMP**). The research describes a technique to overcome hardware debugging constraints caused by the device’s STM32 **Code Read-out Protection (RDP) Level 1**, which blocks traditional JTAG-based inspection. Talos obtained an **unencrypted firmware update** and used a “**good enough**” emulation strategy: emulating only the **single Modbus-handling thread** (rather than full-system emulation) with **Unicorn Engine**, then applying **coverage-guided fuzzing with AFL** and using **Qiling** to visualize coverage and analyze crash root causes. Socomec reportedly **patched** the vulnerabilities following coordinated disclosure via Cisco’s policy.
1 months ago